diff --git a/packages/darktrace/0.1.0/LICENSE.txt b/packages/darktrace/0.1.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/darktrace/0.1.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/darktrace/0.1.0/changelog.yml b/packages/darktrace/0.1.0/changelog.yml deleted file mode 100755 index f66c5d70aa..0000000000 --- a/packages/darktrace/0.1.0/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: '0.1.0' - changes: - - description: Initial Release. - type: enhancement - link: https://github.com/elastic/integrations/pull/4001 diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 7f34d9e5ec..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,50 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: GET -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.url: {{url}}/aianalyst/incidentevents?includeacknowledged=true&includeincidenteventurl=true -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: header.DTAPI-Token - value: {{public_token}} - - set: - target: header.DTAPI-Date - value: '[[formatDate (now) "20060102T150405"]]' - - set: - target: url.params.starttime - value: '[[.cursor.last_execution_datetime]]' - default: '[[(now (parseDuration "-{{initial_interval}}")).UnixMilli]]' - - set: - target: url.params.endtime - value: '[[(now).UnixMilli]]' - - set: - target: header.DTAPI-Signature - value: '[[hmac "sha1" "{{private_token}}" (sprintf "%s?%s\n%s\n%s" .url.Path .url.RawQuery "{{public_token}}" (formatDate (now) "20060102T150405"))]]' -cursor: - last_execution_datetime: - value: '[[.last_response.url.params.Get "endtime"]]' -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs deleted file mode 100755 index b1d260f0f9..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -{{#if tcp_options}} -{{tcp_options}} -{{/if}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- syslog: - field: message -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs deleted file mode 100755 index f342c4fa75..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -{{#if udp_options}} -{{udp_options}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- syslog: - field: message -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3b22b43d8b..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,856 +0,0 @@ ---- -description: Pipeline for processing AI Analyst Alert logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - grok: - field: message - patterns: - - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" - pattern_definitions: - FIELD: "[a-zA-Z]*" - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.id - - json.createdAt - - json.activityId - - json.currentGroup - target_field: _id - ignore_missing: true - - set: - field: event.kind - value: alert - if: (['critical','suspicious'].contains(ctx.json?.category?.toLowerCase())) - - set: - field: event.kind - value: event - if: (['compliance','informational'].contains(ctx.json?.category?.toLowerCase())) - - set: - field: event.category - value: [threat] - if: ctx.event?.kind == 'alert' - - set: - field: event.type - value: [info] - - rename: - field: json.activityId - target_field: darktrace.ai_analyst_alert.activity_id - ignore_missing: true - - convert: - field: json.aiaScore - target_field: darktrace.ai_analyst_alert.aia_score - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.risk_score - copy_from: darktrace.ai_analyst_alert.aia_score - ignore_failure: true - - set: - field: event.risk_score_norm - copy_from: darktrace.ai_analyst_alert.aia_score - ignore_failure: true - - foreach: - field: json.attackPhases - if: ctx.json?.attackPhases instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value - type: long - on_failure: - - remove: - field: _ingest._value - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.attackPhases - target_field: darktrace.ai_analyst_alert.attack_phases - ignore_missing: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.did - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.did - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - append: - field: host.id - value: '{{{_ingest._value.did}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: host.id - type: string - ignore_missing: true - on_failure: - - remove: - field: host.id - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.hostname - type: ip - target_field: _ingest._value._temp_.hostname_ip - ignore_missing: true - on_failure: - - append: - field: host.hostname - value: '{{{_ingest._value.hostname}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - append: - field: related.ip - value: '{{{_ingest._value._temp_.hostname_ip}}}' - allow_duplicates: false - ignore_failure: true - - set: - field: related.hosts - copy_from: host.hostname - ignore_failure: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.identifier - target_field: _ingest._value._temp_.identifier_ip - type: ip - ignore_missing: true - on_failure: - - append: - field: host.name - value: '{{{_ingest._value.identifier}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - append: - field: related.ip - value: '{{{_ingest._value._temp_.identifier_ip}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: host.name - if: ctx.host?.name instanceof List - ignore_failure: true - processor: - append: - field: related.hosts - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.ip - target_field: _ingest._value._temp_.ip - type: ip - ignore_failure: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - append: - field: host.ip - value: '{{{_ingest._value._temp_.ip}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: host.ip - if: ctx.host?.ip instanceof List - ignore_failure: true - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - gsub: - field: _ingest._value.mac - target_field: _ingest._value.mac_address - pattern: '[:.]' - replacement: '-' - ignore_missing: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - uppercase: - field: _ingest._value.mac_address - ignore_missing: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - append: - field: host.mac - value: '{{{_ingest._value.mac_address}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.sid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.sid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.breachDevices - if: ctx.json?.breachDevices instanceof List - ignore_failure: true - processor: - remove: - field: - - _ingest._value._temp_ - - _ingest._value.mac - ignore_missing: true - - rename: - field: json.breachDevices - target_field: darktrace.ai_analyst_alert.breach_devices - ignore_missing: true - - rename: - field: json.category - target_field: darktrace.ai_analyst_alert.category - ignore_missing: true - - rename: - field: json.children - target_field: darktrace.ai_analyst_alert.children - ignore_missing: true - - set: - field: threat.enrichments.matched.id - copy_from: darktrace.ai_analyst_alert.children - ignore_failure: true - - date: - field: json.createdAt - target_field: darktrace.ai_analyst_alert.created_at - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - if: ctx.json?.createdAt != null - on_failure: - - remove: - field: json.createdAt - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: darktrace.ai_analyst_alert.created_at - ignore_failure: true - - rename: - field: json.currentGroup - target_field: darktrace.ai_analyst_alert.current_group - ignore_missing: true - - set: - field: threat.group.id - copy_from: darktrace.ai_analyst_alert.current_group - ignore_failure: true - if: ctx.darktrace?.ai_analyst_alert?.current_group != null - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - convert: - field: _ingest._value.ip - target_field: _ingest._value._temp_.ip - type: ip - ignore_failure: true - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - append: - field: related.ip - value: '{{{_ingest._value._temp_.ip}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - convert: - field: _ingest._value.hostname - target_field: _ingest._value._temp_.hostname_ip - type: ip - ignore_missing: true - on_failure: - - append: - field: related.hosts - value: '{{{_ingest._value.hostname}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - append: - field: related.ip - value: '{{{_ingest._value._temp_.hostname_ip}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - convert: - field: _ingest._value.identifier - target_field: _ingest._value._temp_.identifier_ip - type: ip - ignore_missing: true - on_failure: - - append: - field: related.hosts - value: '{{{_ingest._value.identifier}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - append: - field: related.ip - value: '{{{_ingest._value._temp_.identifier_ip}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - gsub: - field: _ingest._value.mac - target_field: _ingest._value.mac_address - pattern: '[:.]' - replacement: '-' - ignore_missing: true - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - uppercase: - field: _ingest._value.mac_address - ignore_missing: true - - foreach: - field: json.details - if: ctx.json?.details instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value - ignore_failure: true - processor: - foreach: - field: _ingest._value.contents - ignore_failure: true - processor: - foreach: - field: _ingest._value.values - ignore_failure: true - processor: - remove: - field: - - _ingest._value._temp_ - - _ingest._value.mac - ignore_missing: true - - rename: - field: json.details - target_field: darktrace.ai_analyst_alert.details - ignore_missing: true - - convert: - field: json.groupByActivity - target_field: darktrace.ai_analyst_alert.group_by_activity - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: threat.group.id - copy_from: darktrace.ai_analyst_alert.activity_id - ignore_failure: true - if: ctx.threat?.group?.id == null && ctx.darktrace?.ai_analyst_alert?.group_by_activity == true - - rename: - field: json.groupCategory - target_field: darktrace.ai_analyst_alert.group_category - ignore_missing: true - - rename: - field: json.groupPreviousGroups - target_field: darktrace.ai_analyst_alert.group_previous_groups - ignore_missing: true - - convert: - field: json.groupScore - target_field: darktrace.ai_analyst_alert.group_score - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.groupingIds - target_field: darktrace.ai_analyst_alert.grouping_ids - ignore_missing: true - - rename: - field: json.id - target_field: darktrace.ai_analyst_alert.id - ignore_missing: true - - set: - field: event.id - copy_from: darktrace.ai_analyst_alert.id - ignore_failure: true - - uri_parts: - field: json.incidentEventUrl - target_field: darktrace.ai_analyst_alert.incident_event_url - if: ctx.json?.incidentEventUrl != null - keep_original: true - on_failure: - - remove: - field: json.incidentEventUrl - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.url - copy_from: darktrace.ai_analyst_alert.incident_event_url.original - ignore_failure: true - - convert: - field: json.acknowledged - target_field: darktrace.ai_analyst_alert.is_acknowledged - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.externalTriggered - target_field: darktrace.ai_analyst_alert.is_external_triggered - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.pinned - target_field: darktrace.ai_analyst_alert.is_pinned - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.userTriggered - target_field: darktrace.ai_analyst_alert.is_user_triggered - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - script: - description: Determine event.duration from starting and ending activity timestamp. - if: ctx.json?.periods instanceof List - lang: painless - ignore_failure: true - params: - NANOS_IN_A_MILLI_SECOND: 1000000 - source: - def duration = new ArrayList(); - for (event in ctx.json.periods) { - duration.add((event?.end - event?.start) * params.NANOS_IN_A_MILLI_SECOND); - } - ctx.event.duration = duration; - - foreach: - field: json.periods - if: ctx.json?.periods instanceof List - ignore_failure: true - processor: - date: - field: _ingest._value.end - target_field: _ingest._value.end - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - on_failure: - - remove: - field: _ingest._value.end - ignore_missing: true - - foreach: - field: json.periods - if: ctx.json?.periods instanceof List - ignore_failure: true - processor: - date: - field: _ingest._value.start - target_field: _ingest._value.start - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - on_failure: - - remove: - field: _ingest._value.start - ignore_missing: true - - rename: - field: json.periods - target_field: darktrace.ai_analyst_alert.periods - ignore_missing: true - - foreach: - field: darktrace.ai_analyst_alert.periods - if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List - ignore_failure: true - processor: - append: - field: event.end - value: '{{{_ingest._value.end}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: darktrace.ai_analyst_alert.periods - if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List - ignore_failure: true - processor: - append: - field: event.start - value: '{{{_ingest._value.start}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.relatedBreaches - if: ctx.json?.relatedBreaches instanceof List - ignore_failure: true - processor: - date: - field: _ingest._value.timestamp - target_field: _ingest._value.timestamp - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - on_failure: - - remove: - field: _ingest._value.timestamp - ignore_missing: true - - foreach: - field: json.relatedBreaches - if: ctx.json?.relatedBreaches instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.pbid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.pbid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.relatedBreaches - if: ctx.json?.relatedBreaches instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.threatScore - target_field: _ingest._value.threat_score - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.threatScore - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.relatedBreaches - if: ctx.json?.relatedBreaches instanceof List - ignore_failure: true - processor: - rename: - field: _ingest._value.modelName - target_field: _ingest._value.model_name - ignore_missing: true - - foreach: - field: json.relatedBreaches - if: ctx.json?.relatedBreaches instanceof List - ignore_failure: true - processor: - append: - field: rule.name - value: '{{{_ingest._value.model_name}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.relatedBreaches - if: ctx.json?.relatedBreaches instanceof List - ignore_failure: true - processor: - remove: - field: _ingest._value.threatScore - ignore_missing: true - - rename: - field: json.relatedBreaches - target_field: darktrace.ai_analyst_alert.related_breaches - ignore_missing: true - - rename: - field: json.summariser - target_field: darktrace.ai_analyst_alert.summariser - ignore_missing: true - - rename: - field: json.summary - target_field: darktrace.ai_analyst_alert.summary - ignore_missing: true - - set: - field: message - copy_from: darktrace.ai_analyst_alert.summary - ignore_failure: true - - rename: - field: json.title - target_field: darktrace.ai_analyst_alert.title - ignore_missing: true - - set: - field: event.reason - copy_from: darktrace.ai_analyst_alert.title - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - field: - - darktrace.ai_analyst_alert.created_at - - darktrace.ai_analyst_alert.summary - - darktrace.ai_analyst_alert.id - - darktrace.ai_analyst_alert.title - - darktrace.ai_analyst_alert.aia_score - - darktrace.ai_analyst_alert.children - ignore_failure: true - ignore_missing: true - - foreach: - field: darktrace.ai_analyst_alert.related_breaches - if: ctx.darktrace?.ai_analyst_alert?.related_breaches instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) - ignore_failure: true - processor: - remove: - field: - - _ingest._value.model_name - ignore_missing: true - ignore_failure: true - - foreach: - field: darktrace.ai_analyst_alert.periods - if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) - ignore_failure: true - processor: - remove: - field: - - _ingest._value.start - - _ingest._value.end - ignore_missing: true - ignore_failure: true - - foreach: - field: darktrace.ai_analyst_alert.breach_devices - if: ctx.darktrace?.ai_analyst_alert?.breach_devices instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) - ignore_failure: true - processor: - remove: - field: - - _ingest._value.did - - _ingest._value.mac_address - ignore_missing: true - ignore_failure: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/agent.yml b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/agent.yml deleted file mode 100755 index 10023a1174..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/agent.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: >- - If the host is a container. - - name: os.build - type: keyword - example: '18D109' - description: >- - OS build information. - - name: os.codename - type: keyword - example: 'stretch' - description: >- - OS codename, if any. -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/base-fields.yml b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/base-fields.yml deleted file mode 100755 index f5f5a863f1..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module. - value: darktrace -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: darktrace.ai_analyst_alert -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/ecs.yml b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/ecs.yml deleted file mode 100755 index 26068c71d3..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/ecs.yml +++ /dev/null @@ -1,153 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - Normalized risk score or priority of the event, on a scale of 0 to 100. - This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - name: event.risk_score_norm - type: float -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: The device or application that originated the Syslog message, if available. - name: log.syslog.appname - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. - name: log.syslog.hostname - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. - name: log.syslog.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Identifies the _id of the indicator document enriching the event. - name: threat.enrichments.matched.id - type: keyword -- description: |- - The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. - While not required, you can use a MITRE ATT&CK® group id. - name: threat.group.id - type: keyword diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/fields.yml b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/fields.yml deleted file mode 100755 index 2a6a32bea6..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/fields/fields.yml +++ /dev/null @@ -1,143 +0,0 @@ -- name: darktrace.ai_analyst_alert - type: group - fields: - - name: activity_id - type: keyword - description: An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident. - - name: aia_score - type: double - description: The score of the event as classified by AI Analyst - out of 100. - - name: attack_phases - type: long - description: Of the six attack phases, which phases are applicable to the activity. - - name: breach_devices - type: group - fields: - - name: did - type: long - description: The unique device id identifier for the device that triggered the breach. This field is used to group events into device-based incidents within the Threat Visualizer. - - name: hostname - type: keyword - description: The hostname associated with the device, if available. - - name: identifier - type: keyword - description: An identifier for the device used when constructing summaries or reports. May be the device label, hostname or IP, depending on availability. - - name: ip - type: keyword - description: The IP associated with the device. - - name: mac_address - type: keyword - description: The MAC address associated with the device. - - name: sid - type: long - description: The subnet id for the subnet the device is currently located in. - - name: subnet - type: keyword - description: The subnet label for the corresponding subnet, if available. - - name: category - type: keyword - description: The behavior category associated with the incident event. - - name: children - type: keyword - description: One or more unique identifiers that can be used to request this AI Analyst event via the UI or API. Where there is more than one uuid, requests can be made with comma-separated values. - - name: created_at - type: date - description: Timestamp for event creation in epoch time. - - name: current_group - type: keyword - description: The UUID of the current incident this event belongs to. - - name: details - type: flattened - description: An array of multiple sections (sub-arrays) of event information. - - name: group_by_activity - type: boolean - description: Used by pre-v5.2 legacy incident construction. Indicates whether the event should be aggregated by activity or by device to create an incident. When true, the event should be aggregated by activityID, and when false, aggregated by groupingID(s). - - name: group_category - type: keyword - description: The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. - - name: group_previous_groups - type: keyword - description: If the incident event was part of an incident which was later merged with another, the UUIDs of the incidents before they were merged. - - name: group_score - type: double - description: The current overall score of the incident this event is part of. - - name: grouping_ids - type: keyword - description: Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false , this field should be used to group events together into an incident. - - name: id - type: keyword - description: A system field. - - name: incident_event_url - type: group - description: A URL to access the AI Analyst alert in the Threat Visualizer. - fields: - - name: domain - type: keyword - - name: extension - type: keyword - - name: fragment - type: keyword - - name: full - type: keyword - - name: original - type: keyword - - name: password - type: keyword - - name: path - type: keyword - - name: port - type: long - - name: query - type: keyword - - name: scheme - type: keyword - - name: username - type: keyword - - name: is_acknowledged - type: boolean - description: Whether the event has been acknowledged. - - name: is_external_triggered - type: boolean - description: Whether the event was created as a result of an externally triggered AI Analyst investigation. - - name: is_pinned - type: boolean - description: Whether the event, or an incident that the event is associated with, is pinned within the Threat Visualizer user interface. Pinned events will always return regardless of the timeframe specified. - - name: is_user_triggered - type: boolean - description: Whether the event was created as a result of a user-triggered AI Analyst investigation. - - name: periods - type: group - fields: - - name: end - type: date - description: A timestamp for the end of the activity period in epoch time. - - name: start - type: date - description: A timestamp for the start of the activity period in epoch time. - - name: related_breaches - type: group - fields: - - name: model_name - type: keyword - description: The name of the model that breached. - - name: pbid - type: long - description: The policy breach ID unique identifier of the model breach. - - name: threat_score - type: long - description: The breach score of the associated model breach - out of 100. - - name: timestamp - type: date - description: The timestamp at which the model breach occurred in epoch time. - - name: summariser - type: keyword - description: A system field. - - name: summary - type: keyword - description: A textual summary of the suspicious activity. This example is abbreviated. - - name: title - type: keyword - description: A title describing the activity that occurred. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/manifest.yml b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/manifest.yml deleted file mode 100755 index 6e056b2c96..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/manifest.yml +++ /dev/null @@ -1,179 +0,0 @@ -title: Collect AI Analyst Alert logs from Darktrace -type: logs -streams: - - input: httpjson - title: AI Analyst Alert logs - description: Collect AI Analyst Alert logs via API. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the AI Analyst Alert logs from Darktrace. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Darktrace API. NOTE:- Supported units for this parameter are h/m/s. - default: 1m - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - darktrace-ai_analyst_alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - title: AI Analyst Alert logs - description: Collect AI Analyst Alert logs via TCP input. - template_path: tcp.yml.hbs - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9571 - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - max_message_size: 50KiB - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - darktrace-ai_analyst_alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: udp - title: AI Analyst Alert logs - description: Collect AI Analyst Alert logs via UDP input. - template_path: udp.yml.hbs - vars: - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9574 - - name: udp_options - type: yaml - title: Custom UDP Options - multi: false - required: false - show_user: false - default: | - max_message_size: 50KiB - #timeout: 300s - description: Specify custom configuration options for the UDP input. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - darktrace-ai_analyst_alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/sample_event.json b/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/sample_event.json deleted file mode 100755 index fa6272b4ac..0000000000 --- a/packages/darktrace/0.1.0/data_stream/ai_analyst_alert/sample_event.json +++ /dev/null @@ -1,241 +0,0 @@ -{ - "@timestamp": "2021-08-03T14:48:09.240Z", - "agent": { - "ephemeral_id": "82482032-e103-4c45-a00e-103ac604f4ae", - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "darktrace": { - "ai_analyst_alert": { - "activity_id": "abcd1234", - "aia_score": 98, - "attack_phases": [ - 5 - ], - "breach_devices": [ - { - "did": 10, - "ip": "81.2.69.144", - "sid": 12, - "subnet": "VPN" - } - ], - "category": "critical", - "children": [ - "eabcdef0-1234-1234-1234-cabcdefghij9" - ], - "created_at": "2021-08-03T14:48:09.240Z", - "current_group": "eabc1234-1234-1234-1234-cabcdefg0011", - "details": [ - [ - { - "contents": [ - { - "type": "device", - "values": [ - { - "did": 10, - "ip": "175.16.199.1", - "sid": 12, - "subnet": "VPN" - } - ] - } - ], - "header": "Breaching Device" - } - ], - [ - { - "contents": [ - { - "key": "Time", - "type": "timestampRange", - "values": [ - { - "end": 1628000141220, - "start": 1627985298683 - } - ] - }, - { - "key": "Number of unique IPs", - "type": "integer", - "values": [ - 16 - ] - }, - { - "key": "Targeted IP ranges include", - "type": "device", - "values": [ - { - "ip": "81.2.69.192" - }, - { - "ip": "175.16.199.1" - }, - { - "ip": "175.16.199.3" - } - ] - }, - { - "key": "Destination port", - "type": "integer", - "values": [ - 22 - ] - }, - { - "key": "Connection count", - "type": "integer", - "values": [ - 40 - ] - }, - { - "key": "Percentage successful", - "type": "percentage", - "values": [ - 100 - ] - } - ], - "header": "SSH Activity" - } - ] - ], - "group_by_activity": false, - "group_category": "critical", - "group_score": 72.9174234, - "grouping_ids": [ - "abcdef12" - ], - "id": "eabc0011-1234-1234-1234-cabcdefg0011", - "is_acknowledged": false, - "is_external_triggered": false, - "is_pinned": true, - "is_user_triggered": false, - "periods": [ - { - "end": "2021-08-03T14:15:41.220Z", - "start": "2021-08-03T10:08:18.683Z" - } - ], - "related_breaches": [ - { - "model_name": "Unusual Activity / Unusual Activity from Re-Activated Device", - "pbid": 1234, - "threat_score": 37, - "timestamp": "2021-08-03T13:25:57.000Z" - } - ], - "summariser": "AdminConnSummary", - "summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", - "title": "Extensive Unusual SSH Connections" - } - }, - "data_stream": { - "dataset": "darktrace.ai_analyst_alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "snapshot": false, - "version": "8.2.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "threat" - ], - "dataset": "darktrace.ai_analyst_alert", - "duration": [ - 14842537000000 - ], - "end": [ - "2021-08-03T14:15:41.220Z" - ], - "id": "eabc0011-1234-1234-1234-cabcdefg0011", - "ingested": "2022-09-30T11:36:06Z", - "kind": "alert", - "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", - "reason": "Extensive Unusual SSH Connections", - "risk_score": 98, - "risk_score_norm": 98, - "start": [ - "2021-08-03T10:08:18.683Z" - ], - "type": [ - "info" - ] - }, - "host": { - "id": [ - "10" - ], - "ip": [ - "81.2.69.144" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.128.5:49066" - }, - "syslog": { - "facility": { - "code": 20, - "name": "local4" - }, - "hostname": "example.cloud.darktrace.com", - "priority": 165, - "severity": { - "code": 5, - "name": "Notice" - }, - "version": "1" - } - }, - "message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", - "related": { - "ip": [ - "81.2.69.144", - "175.16.199.1", - "81.2.69.192", - "175.16.199.3" - ] - }, - "rule": { - "name": [ - "Unusual Activity / Unusual Activity from Re-Activated Device" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "darktrace-ai_analyst_alert" - ], - "threat": { - "enrichments": { - "matched": { - "id": [ - "eabcdef0-1234-1234-1234-cabcdefghij9" - ] - } - }, - "group": { - "id": "eabc1234-1234-1234-1234-cabcdefg0011" - } - } -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs b/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 8201241e03..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: GET -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.url: {{url}}/modelbreaches?expandenums=true&historicmodelonly=true&includeacknowledged=true&includebreachurl=true -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: header.DTAPI-Token - value: {{public_token}} - - set: - target: header.DTAPI-Date - value: '[[formatDate (now) "20060102T150405"]]' - - set: - target: url.params.group - value: 'device' - - set: - target: url.params.starttime - value: '[[.cursor.last_execution_datetime]]' - default: '[[(now (parseDuration "-{{initial_interval}}")).UnixMilli]]' - - set: - target: url.params.endtime - value: '[[(now).UnixMilli]]' - - set: - target: header.DTAPI-Signature - value: '[[hmac "sha1" "{{private_token}}" (sprintf "%s?%s\n%s\n%s" .url.Path .url.RawQuery "{{public_token}}" (formatDate (now) "20060102T150405"))]]' -cursor: - last_execution_datetime: - value: '[[toInt .last_event.time]]' -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs deleted file mode 100755 index b1d260f0f9..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -{{#if tcp_options}} -{{tcp_options}} -{{/if}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- syslog: - field: message -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/udp.yml.hbs b/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/udp.yml.hbs deleted file mode 100755 index f342c4fa75..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -{{#if udp_options}} -{{udp_options}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- syslog: - field: message -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/0.1.0/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 126107e391..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1446 +0,0 @@ ---- -description: Pipeline for processing Model Breach Alert logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - grok: - field: message - patterns: - - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" - pattern_definitions: - FIELD: "[a-zA-Z]*" - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.time - - json.creationTime - - json.pbid - - json.model.phid - target_field: _id - ignore_missing: true - - set: - field: event.kind - value: alert - if: (['critical','suspicious'].contains(ctx.json?.model?.category?.toLowerCase())) - - set: - field: event.kind - value: event - if: (['compliance','informational'].contains(ctx.json?.model?.category?.toLowerCase())) - - set: - field: event.category - value: [threat] - if: ctx.event?.kind == 'alert' - - set: - field: event.type - value: [info] - - script: - description: Dynamically map event.* fields from metric label. - lang: painless - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - source: - for (component in ctx.json.triggeredComponents) { - if (component?.metric?.label?.toLowerCase().contains('connection')) { - ctx.event?.type?.add('connection'); - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - ctx.event.category.add('network'); - } - } - - foreach: - field: json.aianalystData - if: ctx.json?.aianalystData instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.related - ignore_failure: true - processor: - convert: - field: _ingest._value - type: long - on_failure: - - remove: - field: _ingest._value - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.aianalystData - target_field: darktrace.model_breach_alert.aianalyst_data - ignore_missing: true - - uri_parts: - field: json.breachUrl - target_field: darktrace.model_breach_alert.breach_url - if: ctx.json?.breachUrl != null - keep_original: true - on_failure: - - remove: - field: json.breachUrl - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.url - copy_from: darktrace.model_breach_alert.breach_url.original - ignore_failure: true - - convert: - field: json.commentCount - target_field: darktrace.model_breach_alert.comment.count - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.creationTime - target_field: darktrace.model_breach_alert.creation_time - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - if: ctx.json?.creationTime != null - on_failure: - - remove: - field: json.creationTime - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.created - copy_from: darktrace.model_breach_alert.creation_time - ignore_failure: true - - convert: - field: json.devicescore - target_field: darktrace.model_breach_alert.device_score - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.device.credentials - target_field: darktrace.model_breach_alert.device.credentials - ignore_missing: true - - convert: - field: json.device.did - target_field: darktrace.model_breach_alert.device.did - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - remove: - field: darktrace.model_breach_alert.device.did - ignore_missing: true - if: ctx.darktrace?.model_breach_alert?.device?.did != null && ctx.darktrace?.model_breach_alert?.device?.did < 0 - - convert: - field: darktrace.model_breach_alert.device.did - target_field: host.id - type: string - ignore_missing: true - on_failure: - - remove: - field: darktrace.model_breach_alert.device.did - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.device.firstSeen - target_field: darktrace.model_breach_alert.device.first_seen - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - if: ctx.json?.device?.firstSeen != null - on_failure: - - remove: - field: json.device.firstseen - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.device.hostname - target_field: json.device._temp_.hostname_ip - type: ip - ignore_missing: true - on_failure: - - set: - field: host.hostname - copy_from: json.device.hostname - ignore_failure: true - - append: - field: related.ip - value: '{{{json.device._temp_.hostname_ip}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device.hostname - target_field: darktrace.model_breach_alert.device.hostname - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.hostname}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: json.device.ip - target_field: darktrace.model_breach_alert.device._temp_.ip - type: ip - ignore_failure: true - - append: - field: host.ip - value: '{{{darktrace.model_breach_alert.device._temp_.ip}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: json.device.ip6 - target_field: darktrace.model_breach_alert.device._temp_.ip6 - type: ip - ignore_failure: true - - append: - field: host.ip - value: '{{{darktrace.model_breach_alert.device._temp_.ip6}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device.ip - target_field: darktrace.model_breach_alert.device.ip - ignore_missing: true - - rename: - field: json.device.ip6 - target_field: darktrace.model_breach_alert.device.ip6 - ignore_missing: true - - remove: - field: - - darktrace.model_breach_alert.device._temp_ - ignore_missing: true - - foreach: - field: host.ip - if: ctx.host?.ip instanceof List - ignore_failure: true - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.device.ips - if: ctx.json?.device?.ips instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.ip - target_field: _ingest._value._temp_.ip - type: ip - ignore_failure: true - - foreach: - field: json.device.ips - if: ctx.json?.device?.ips instanceof List - ignore_failure: true - processor: - append: - field: related.ip - value: '{{{_ingest._value._temp_.ip}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.device.ips - if: ctx.json?.device?.ips instanceof List - ignore_failure: true - processor: - date: - field: _ingest._value.timems - target_field: _ingest._value.timems - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - on_failure: - - remove: - field: _ingest._value.timems - ignore_missing: true - - foreach: - field: json.device.ips - if: ctx.json?.device?.ips instanceof List - ignore_failure: true - processor: - date: - field: _ingest._value.time - target_field: _ingest._value.time - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - - 'yyyy-MM-dd HH:mm:ss' - on_failure: - - remove: - field: _ingest._value.time - ignore_missing: true - - foreach: - field: json.device.ips - if: ctx.json?.device?.ips instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.sid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.sid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.ips - if: ctx.json?.device?.ips instanceof List - ignore_failure: true - processor: - remove: - field: _ingest._value._temp_ - ignore_missing: true - - rename: - field: json.device.ips - target_field: darktrace.model_breach_alert.device.ips - ignore_missing: true - - date: - field: json.device.lastSeen - target_field: darktrace.model_breach_alert.device.last_seen - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - if: ctx.json?.device?.lastSeen != null - on_failure: - - remove: - field: json.device.lastseen - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - gsub: - field: json.device.macaddress - target_field: darktrace.model_breach_alert.device.mac_address - pattern: '[:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: darktrace.model_breach_alert.device.mac_address - ignore_missing: true - - set: - field: host.mac - copy_from: darktrace.model_breach_alert.device.mac_address - ignore_failure: true - - convert: - field: json.device.sid - target_field: darktrace.model_breach_alert.device.sid - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.tags - if: ctx.json?.device?.tags instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.tid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.tid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.tags - if: ctx.json?.device?.tags instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.thid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.thid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.tags - if: ctx.json?.device?.tags instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.expiry - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.expiry - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.tags - if: ctx.json?.device?.tags instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.restricted - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.restricted - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.tags - if: ctx.json?.device?.tags instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.isReferenced - target_field: _ingest._value.is_referenced - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.isReferenced - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.tags - if: ctx.json?.device?.tags instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.data.auto - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.data.auto - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.tags - if: ctx.json?.device?.tags instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.data.color - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.color - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.device.tags - if: ctx.json?.device?.tags instanceof List - ignore_failure: true - processor: - remove: - field: _ingest._value.isReferenced - ignore_missing: true - - rename: - field: json.device.tags - target_field: darktrace.model_breach_alert.device.tags - ignore_missing: true - - rename: - field: json.device.typelabel - target_field: darktrace.model_breach_alert.device.type_label - ignore_missing: true - - rename: - field: json.device.typename - target_field: darktrace.model_breach_alert.device.type_name - ignore_missing: true - - set: - field: host.type - copy_from: darktrace.model_breach_alert.device.type_name - ignore_failure: true - - rename: - field: json.device.vendor - target_field: darktrace.model_breach_alert.device.vendor - ignore_missing: true - - convert: - field: json.acknowledged - target_field: darktrace.model_breach_alert.is_acknowledged - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.mitreTechniques - if: ctx.json?.mitreTechniques instanceof List - ignore_failure: true - processor: - rename: - field: _ingest._value.techniqueID - target_field: _ingest._value.id - ignore_missing: true - - foreach: - field: json.mitreTechniques - if: ctx.json?.mitreTechniques instanceof List - ignore_failure: true - processor: - rename: - field: _ingest._value.technique - target_field: _ingest._value.name - ignore_missing: true - - rename: - field: json.mitreTechniques - target_field: darktrace.model_breach_alert.mitre_techniques - ignore_missing: true - - foreach: - field: darktrace.model_breach_alert.mitre_techniques - if: ctx.darktrace?.model_breach_alert?.mitre_techniques instanceof List - ignore_failure: true - processor: - append: - field: threat.technique.id - value: '{{{_ingest._value.id}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: darktrace.model_breach_alert.mitre_techniques - if: ctx.darktrace?.model_breach_alert?.mitre_techniques instanceof List - ignore_failure: true - processor: - append: - field: threat.technique.name - value: '{{{_ingest._value.name}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.model.actions.antigena.action - target_field: darktrace.model_breach_alert.model.actions.antigena.action - ignore_missing: true - - set: - field: event.action - copy_from: darktrace.model_breach_alert.model.actions.antigena.action - ignore_failure: true - - convert: - field: json.model.actions.antigena.duration - target_field: darktrace.model_breach_alert.model.actions.antigena.duration - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.actions.antigena.confirm - target_field: darktrace.model_breach_alert.model.actions.antigena.is_confirm_by_human_operator - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.actions.antigena.threshold - target_field: darktrace.model_breach_alert.model.actions.antigena.threshold - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.actions.alert - target_field: darktrace.model_breach_alert.model.actions.is_alerting - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.actions.breach - target_field: darktrace.model_breach_alert.model.actions.is_breach - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.actions.setPriority - target_field: darktrace.model_breach_alert.model.actions.is_priority_set - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.actions.setTag - target_field: darktrace.model_breach_alert.model.actions.is_tag_set - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.actions.setType - target_field: darktrace.model_breach_alert.model.actions.is_type_set - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.actions.model - target_field: darktrace.model_breach_alert.model.actions.model - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.activeTimes.version - type: long - ignore_missing: true - on_failure: - - remove: - field: json.model.activeTimes.version - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.model.activeTimes - target_field: darktrace.model_breach_alert.model.active_times - ignore_missing: true - - rename: - field: json.model.behaviour - target_field: darktrace.model_breach_alert.model.behaviour - ignore_missing: true - - rename: - field: json.model.category - target_field: darktrace.model_breach_alert.model.category - ignore_missing: true - - set: - field: rule.category - copy_from: darktrace.model_breach_alert.model.category - ignore_failure: true - - rename: - field: json.model.created.by - target_field: darktrace.model_breach_alert.model.created.by - ignore_missing: true - - append: - field: related.user - value: '{{{darktrace.model_breach_alert.model.created.by}}}' - allow_duplicates: false - ignore_failure: true - - set: - field: rule.author - copy_from: darktrace.model_breach_alert.model.created.by - ignore_failure: true - - foreach: - field: json.model.defeats - if: ctx.json?.model?.defeats instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.defeatID - target_field: _ingest._value.id - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.defeatID - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.model.defeats - if: ctx.json?.model?.defeats instanceof List - ignore_failure: true - processor: - remove: - field: _ingest._value.defeatID - ignore_missing: true - - rename: - field: json.model.defeats - target_field: darktrace.model_breach_alert.model.defeats - ignore_missing: true - - convert: - field: json.model.delay - target_field: darktrace.model_breach_alert.model.delay - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.model.description - target_field: darktrace.model_breach_alert.model.description - ignore_missing: true - - set: - field: rule.description - copy_from: darktrace.model_breach_alert.model.description - ignore_failure: true - - rename: - field: json.model.edited.by - target_field: darktrace.model_breach_alert.model.edited.by - ignore_missing: true - - append: - field: related.user - value: '{{{darktrace.model_breach_alert.model.edited.by}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: json.model.compliance - target_field: darktrace.model_breach_alert.model.in_compliance_behavior_category - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.interval - target_field: darktrace.model_breach_alert.model.interval - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.active - target_field: darktrace.model_breach_alert.model.is_active - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.autoSuppress - target_field: darktrace.model_breach_alert.model.is_auto_suppress - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.autoUpdatable - target_field: darktrace.model_breach_alert.model.is_auto_updatable - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.autoUpdate - target_field: darktrace.model_breach_alert.model.is_auto_update - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.sequenced - target_field: darktrace.model_breach_alert.model.is_sequenced - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.sharedEndpoints - target_field: darktrace.model_breach_alert.model.is_shared_endpoints - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - script: - description: Dynamically map model.logic.data array using model.logic.type field. - if: ctx.json?.model?.logic?.data instanceof List - lang: painless - ignore_failure: true - params: - componentList: data_component_list - weightedComponentList: data_weighted_component_list - source: - def data = ctx.json.model.logic.data; - if (ctx.json.model.logic?.type != null) { - if (['componentList', 'weightedComponentList'].contains(ctx.json.model.logic?.type)) { - ctx["json"]["model"]["logic"][params.get(ctx.json.model.logic?.type)] = data; - } else { - ctx["json"]["model"]["logic"]["data_" + ctx.json.model.logic?.type] = data; - } - } - ctx.json.model.logic.remove("data"); - - convert: - field: json.model.logic.data_component_list - type: long - ignore_missing: true - on_failure: - - remove: - field: json.model.logic.data_component_list - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.logic.data_weighted_component_list.cid - type: long - ignore_missing: true - on_failure: - - remove: - field: json.model.logic.data_weighted_component_list.cid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.logic.data_weighted_component_list.weight - type: long - ignore_missing: true - on_failure: - - remove: - field: json.model.logic.data_weighted_component_list.weight - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.logic.version - type: long - ignore_missing: true - on_failure: - - remove: - field: json.model.logic.version - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.logic.targetScore - target_field: json.model.logic.target_score - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - remove: - field: json.model.logic.targetScore - ignore_missing: true - - rename: - field: json.model.logic - target_field: darktrace.model_breach_alert.model.logic - ignore_missing: true - - date: - field: json.model.modified - target_field: darktrace.model_breach_alert.model.modified - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - - 'yyyy-MM-dd HH:mm:ss' - if: ctx.json?.model?.modified != null - on_failure: - - remove: - field: json.model.modified - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.model.name - target_field: darktrace.model_breach_alert.model.name - ignore_missing: true - - set: - field: rule.name - copy_from: darktrace.model_breach_alert.model.name - ignore_failure: true - - convert: - field: json.model.phid - target_field: darktrace.model_breach_alert.model.phid - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.pid - target_field: darktrace.model_breach_alert.model.pid - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.priority - target_field: darktrace.model_breach_alert.model.priority - type: long - ignore_missing: true - on_failure: - - remove: - field: json.model.priority - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.severity - copy_from: darktrace.model_breach_alert.model.priority - ignore_failure: true - - rename: - field: json.model.tags - target_field: darktrace.model_breach_alert.model.tags - ignore_missing: true - - set: - field: rule.ruleset - copy_from: darktrace.model_breach_alert.model.tags - ignore_failure: true - - convert: - field: json.model.throttle - target_field: darktrace.model_breach_alert.model.throttle - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.model.userID - target_field: darktrace.model_breach_alert.model.userid - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.model.uuid - target_field: darktrace.model_breach_alert.model.uuid - ignore_missing: true - - set: - field: rule.uuid - copy_from: darktrace.model_breach_alert.model.uuid - ignore_failure: true - - convert: - field: json.model.version - target_field: darktrace.model_breach_alert.model.version - type: long - ignore_missing: true - on_failure: - - remove: - field: json.model.version - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: darktrace.model_breach_alert.model.version - target_field: rule.version - type: string - ignore_missing: true - on_failure: - - remove: - field: darktrace.model_breach_alert.model.version - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.pbscore - target_field: darktrace.model_breach_alert.pb_score - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.pbid - target_field: darktrace.model_breach_alert.pbid - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.score - target_field: darktrace.model_breach_alert.score - type: double - ignore_missing: true - on_failure: - - remove: - field: json.score - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.risk_score - copy_from: darktrace.model_breach_alert.score - ignore_failure: true - - script: - description: Normalize event.risk_score to event.risk_score_norm - lang: painless - if: ctx.event?.risk_score != null - source: - def normalizedRiskScore = ctx.event.risk_score * 100.0; - ctx.event.risk_score_norm = normalizedRiskScore; - - date: - field: json.time - target_field: darktrace.model_breach_alert.time - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - if: ctx.json?.time != null - on_failure: - - remove: - field: json.time - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: darktrace.model_breach_alert.time - ignore_failure: true - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.cbid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.cbid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.chid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.chid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.cid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.cid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.interval - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.interval - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - script: - description: Stringify logic.data field of triggeredComponents array. - lang: painless - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - source: - for (component in ctx.json.triggeredComponents) { - component.logic.data = component?.logic?.data.toString(); - } - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.metric.mlid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.metric.mlid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.size - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.size - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - convert: - field: _ingest._value.threshold - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.threshold - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - date: - field: _ingest._value.time - target_field: _ingest._value.time - formats: - - ISO8601 - - UNIX_MS - - 'MMM dd HH:mm:ss' - on_failure: - - remove: - field: _ingest._value.time - ignore_missing: true - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - append: - field: event.start - value: '{{{_ingest._value.time}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - convert: - field: _ingest._value.cfid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.cfid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - rename: - field: _ingest._value.comparatorType - target_field: _ingest._value.comparator_type - ignore_missing: true - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - rename: - field: _ingest._value.filterType - target_field: _ingest._value.filter_type - ignore_missing: true - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - convert: - field: _ingest._value.trigger.tag.data.auto - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.trigger.tag.data.auto - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - convert: - field: _ingest._value.trigger.tag.data.color - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.trigger.tag.data.color - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - convert: - field: _ingest._value.trigger.tag.expiry - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.trigger.tag.expiry - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - convert: - field: _ingest._value.trigger.tag.isReferenced - target_field: _ingest._value.trigger.tag.is_referenced - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.trigger.tag.isReferenced - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - convert: - field: _ingest._value.trigger.tag.restricted - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.trigger.tag.restricted - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - convert: - field: _ingest._value.trigger.tag.thid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.trigger.tag.thid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - convert: - field: _ingest._value.trigger.tag.tid - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.trigger.tag.tid - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - foreach: - field: _ingest._value.triggeredFilters - ignore_failure: true - processor: - remove: - field: _ingest._value.trigger.tag.isReferenced - ignore_missing: true - - foreach: - field: json.triggeredComponents - if: ctx.json?.triggeredComponents instanceof List - ignore_failure: true - processor: - rename: - field: _ingest._value.triggeredFilters - target_field: _ingest._value.triggered_filters - ignore_missing: true - - rename: - field: json.triggeredComponents - target_field: darktrace.model_breach_alert.triggered_components - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - field: - - darktrace.model_breach_alert.time - - darktrace.model_breach_alert.model.actions.antigena.action - - darktrace.model_breach_alert.creation_time - - darktrace.model_breach_alert.score - - darktrace.model_breach_alert.model.priority - - darktrace.model_breach_alert.device.did - - darktrace.model_breach_alert.device.mac_address - - darktrace.model_breach_alert.device.type_name - - darktrace.model_breach_alert.model.created.by - - darktrace.model_breach_alert.model.category - - darktrace.model_breach_alert.model.description - - darktrace.model_breach_alert.model.name - - darktrace.model_breach_alert.model.tags - - darktrace.model_breach_alert.model.uuid - - darktrace.model_breach_alert.model.version - - darktrace.model_breach_alert.mitre_techniques - ignore_failure: true - ignore_missing: true - - foreach: - field: darktrace.model_breach_alert.triggered_components - if: ctx.darktrace?.model_breach_alert?.triggered_components instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) - ignore_failure: true - processor: - remove: - field: - - _ingest._value.time - ignore_missing: true - ignore_failure: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/agent.yml b/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/agent.yml deleted file mode 100755 index 1f754679d0..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/agent.yml +++ /dev/null @@ -1,184 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: >- - If the host is a container. - - name: os.build - type: keyword - example: '18D109' - description: > - OS build information. - - - name: os.codename - type: keyword - example: 'stretch' - description: >- - OS codename, if any. -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/base-fields.yml b/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/base-fields.yml deleted file mode 100755 index 7dd51b599c..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module. - value: darktrace -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: darktrace.model_breach_alert -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/ecs.yml b/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/ecs.yml deleted file mode 100755 index 84d84df374..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/ecs.yml +++ /dev/null @@ -1,177 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - Normalized risk score or priority of the event, on a scale of 0 to 100. - This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - name: event.risk_score_norm - type: float -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - name: host.type - type: keyword -- description: The device or application that originated the Syslog message, if available. - name: log.syslog.appname - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. - name: log.syslog.hostname - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. - name: log.syslog.version - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - name: rule.author - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: The version / revision of the rule being used for analysis. - name: rule.version - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - normalize: - - array - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - normalize: - - array - type: keyword diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/fields.yml b/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/fields.yml deleted file mode 100755 index a972362479..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/fields/fields.yml +++ /dev/null @@ -1,428 +0,0 @@ -- name: darktrace.model_breach_alert - type: group - fields: - - name: aianalyst_data - type: group - fields: - - name: related - type: long - - name: summariser - type: keyword - - name: uuid - type: keyword - - name: breach_url - type: group - description: A link to the specific model breach in the Darktrace Threat Visualizer - the configuration option FQDN must be set for this field to appear. - fields: - - name: domain - type: keyword - - name: extension - type: keyword - - name: fragment - type: keyword - - name: full - type: keyword - - name: original - type: keyword - - name: password - type: keyword - - name: path - type: keyword - - name: port - type: long - - name: query - type: keyword - - name: scheme - type: keyword - - name: username - type: keyword - - name: comment - type: group - fields: - - name: count - type: long - description: The number of comments made against this breach. - - name: creation_time - type: date - description: The timestamp that the record of the breach was created. This is distinct from the “time” field. - - name: device_score - type: double - - name: device - type: group - fields: - - name: credentials - type: keyword - - name: did - type: long - description: The “device id”, a unique identifier. - - name: first_seen - type: date - description: The first time the device was seen on the network. - - name: hostname - type: keyword - description: The current device hostname. - - name: ip - type: keyword - description: The current IP associated with the device. - - name: ip6 - type: keyword - description: Current IPv6 address of this device if applicable, otherwise undefined. - - name: ips - type: group - fields: - - name: ip - type: keyword - description: A historic IP associated with the device. - - name: sid - type: long - description: The subnet id for the subnet the IP belongs to. - - name: time - type: date - description: The time the IP was last seen associated with that device in readable format. - - name: timems - type: date - description: The time the IP was last seen associated with that device in epoch time. - - name: last_seen - type: date - description: The last time the device was seen on the network. - - name: mac_address - type: keyword - description: The current MAC address associated with the device. - - name: sid - type: long - description: The subnet id for the subnet the device is currently located in. - - name: tags - type: group - fields: - - name: data - type: group - fields: - - name: auto - type: boolean - - name: color - type: long - - name: description - type: keyword - - name: visibility - type: keyword - - name: expiry - type: long - - name: is_referenced - type: boolean - - name: name - type: keyword - - name: restricted - type: boolean - - name: thid - type: long - - name: tid - type: long - - name: type_label - type: keyword - description: The device type in readable format. - - name: type_name - type: keyword - description: The device type in system format. - - name: vendor - type: keyword - description: The vendor of the device network card as derived by Darktrace from the MAC address. - - name: is_acknowledged - type: boolean - - name: mitre_techniques - type: group - description: Any mapped MITRE ATT&CK techniques the model corresponds to. - fields: - - name: name - type: keyword - - name: id - type: keyword - - name: model - type: group - fields: - - name: actions - type: group - fields: - - name: antigena - type: group - fields: - - name: action - type: keyword - description: The action to be performed. - - name: duration - type: long - description: The duration in seconds that the antigena action should last for. - - name: is_confirm_by_human_operator - type: boolean - description: Whether the action must be confirmed by a human operator, regardless of the global setting for Human Confirmation mode. - - name: threshold - type: long - description: The breach score threshold (out of 100) over which antigena will take an action. - - name: is_alerting - type: boolean - description: If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. - - name: is_breach - type: boolean - description: If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. - - name: is_priority_set - type: boolean - description: If the priority is to be changed on breach, the numeric value it should become. If no priority change action, a false boolean. - - name: is_tag_set - type: boolean - description: If a tag is to be applied on model breach, a single number or array of the system ID for the tag(s) to be applied. If no tag action, a false boolean. - - name: is_type_set - type: boolean - description: If a change device type action is to be applied on model breach, the numeric system ID for the label to be applied. If no change device type action is applied to the model, a false boolean. - - name: model - type: boolean - description: If true, creates an event in the device’s event log without creating an alert/ model breach in the threat tray. - - name: active_times - type: group - fields: - - name: devices - type: flattened - description: The device ids for devices on the list. - - name: tags - type: flattened - description: A system field. - - name: type - type: keyword - description: 'The type of list: “restrictions” indicates a blacklist, “exclusions” a whitelist.' - - name: version - type: long - description: A system field. - - name: behaviour - type: keyword - description: The score modulation function as set in the model editor. - - name: category - type: keyword - description: The behavior category of the model that was breached. - - name: created - type: group - fields: - - name: by - type: keyword - description: Username that created the model. - - name: defeats - type: group - fields: - - name: arguments - type: group - fields: - - name: value - type: keyword - description: The value(s) that must match for the defeat to take effect. - - name: comparator - type: keyword - description: The comparator that the value is compared against the create the defeat. - - name: filtertype - type: keyword - description: The filter the defeat is made from. - - name: id - type: long - description: A unique ID for the defeat. - - name: delay - type: long - description: Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. - - name: description - type: keyword - description: The optional description of the model. - - name: edited - type: group - fields: - - name: by - type: keyword - description: Username that last edited the model. - - name: userid - type: long - - name: in_compliance_behavior_category - type: boolean - description: Whether the model is in the compliance behavior category. - - name: interval - type: long - description: Where a model contains multiple components, this interval represents the time window in seconds in which all the components should fire for this model to be breached. - - name: is_active - type: boolean - description: Whether the model is enabled or disabled. - - name: is_auto_suppress - type: boolean - description: Whether the model will automatically be suppressed in the case of over-breaching. - - name: is_auto_updatable - type: boolean - description: Whether the model is suitable for auto update. - - name: is_auto_update - type: boolean - description: Whether the model is enabled for auto update. - - name: is_sequenced - type: boolean - description: Whether the components are required to fire in the specified order for the model breach to occur. - - name: is_shared_endpoints - type: boolean - description: For models that contain multiple components that reference an endpoint, this value indicates whether all endpoints should be identical for the model to fire. - - name: logic - type: group - fields: - - name: data_component_list - type: long - description: This will be a list of component ID numbers. - - name: data_weighted_component_list - type: group - description: This model is a weighted type this will be a list of component ID, weight object pairs. - fields: - - name: cid - type: long - - name: weight - type: long - - name: target_score - type: long - - name: type - type: keyword - description: The type of model. - - name: version - type: long - description: A number representing the version of model logic. - - name: modified - type: date - description: Timestamp at which the model was last modified, in a readable format. - - name: name - type: keyword - description: Name of the model that was breached. - - name: phid - type: long - description: The model “policy history” id. Increments when the model is modified. - - name: pid - type: long - description: The “policy id” of the model that was breached. - - name: priority - type: long - description: The model’s priority affects the strength with which it breaches (0-5 scale). - - name: tags - type: keyword - description: A list of tags that have been applied to this model in the Threat Visualizer model editor. - - name: throttle - type: long - description: For an individual device, this is the value in seconds for which this model will not fire again. - - name: uuid - type: keyword - description: A unique ID that is generated on creation of the model. - - name: version - type: long - description: The version of the model. Increments on each edit. - - name: pb_score - type: double - description: The model breach score, represented by a value between 0 and 1. - - name: pbid - type: long - description: The “policy breach ID” of the model breach. - - name: score - type: double - description: The model breach score, represented by a value between 0 and 1. - - name: time - type: date - description: The timestamp when the record was created in epoch time. - - name: triggered_components - type: group - fields: - - name: cbid - type: long - description: The “component breach id”. A unique identifier for the component breach. - - name: chid - type: long - description: The “component history id”. Increments when the component is edited. - - name: cid - type: long - description: The “component id”. A unique identifier. - - name: interval - type: long - description: The timeframe in seconds within which the threshold must be satisfied. - - name: logic - type: group - fields: - - name: data - type: text - description: It representing the logical relationship between component filters. Each filter is given an alphabetical reference and the contents of this field describe the relationship between those filters. - - name: version - type: keyword - description: The version of the component logic. - - name: metric - type: group - fields: - - name: label - type: keyword - description: The metric which data is returned for in readable format. - - name: mlid - type: long - description: The “metric logic” id - unique identifier. - - name: name - type: keyword - description: The metric which data is returned for in system format. - - name: size - type: long - description: The size of the value that was compared in the component. - - name: threshold - type: long - description: The threshold value that the size must exceed for the component to breach. - - name: time - type: date - description: A timestamp in Epoch time at which the components were triggered. - - name: triggered_filters - type: group - fields: - - name: arguments - type: group - fields: - - name: value - type: keyword - description: The value the filtertype should be compared against (using the specified comparator) to create the filter. - - name: cfid - type: long - description: The ‘component filter id’. A unique identifier for the filter as part of a the component. - - name: comparator_type - type: keyword - description: The comparator. A full list of comparators available for each filtertype can be found on the /filtertypes endpoint. - - name: filter_type - type: keyword - description: The filtertype that is used in the filter. A full list of filtertypes can be found on the /filtertypes endpoint. - - name: id - type: keyword - description: A filter that is used in the component logic. All filters are given alphabetical identifiers. Display filters - those that appear in the breach notification - can be identified by a lowercase ‘d’ and a numeral. - - name: trigger - type: group - fields: - - name: tag - type: group - fields: - - name: data - type: group - fields: - - name: auto - type: boolean - - name: color - type: long - - name: description - type: keyword - - name: visibility - type: keyword - - name: expiry - type: long - description: nan - - name: isReferenced - type: boolean - description: nan - - name: name - type: keyword - description: nan - - name: restricted - type: boolean - description: nan - - name: thid - type: long - description: nan - - name: tid - type: long - description: nan - - name: value - type: keyword - description: The actual value that triggered the filter. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/manifest.yml b/packages/darktrace/0.1.0/data_stream/model_breach_alert/manifest.yml deleted file mode 100755 index 1f16664378..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/manifest.yml +++ /dev/null @@ -1,179 +0,0 @@ -title: Collect Model Breach Alert logs from Darktrace -type: logs -streams: - - input: httpjson - title: Model Breach Alert logs - description: Collect Model Breach Alert logs via API. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the Model Breach Alert logs from Darktrace. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Darktrace API. NOTE:- Supported units for this parameter are h/m/s. - default: 1m - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - darktrace-model_breach_alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - title: Model Breach Alert logs - description: Collect Model Breach Alert logs via TCP input. - template_path: tcp.yml.hbs - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9572 - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - max_message_size: 50KiB - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - darktrace-model_breach_alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: udp - title: Model Breach Alert logs - description: Collect Model Breach Alert logs via UDP input. - template_path: udp.yml.hbs - vars: - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9575 - - name: udp_options - type: yaml - title: Custom UDP Options - multi: false - required: false - show_user: false - default: | - max_message_size: 50KiB - #timeout: 300s - description: Specify custom configuration options for the UDP input. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - darktrace-model_breach_alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/0.1.0/data_stream/model_breach_alert/sample_event.json b/packages/darktrace/0.1.0/data_stream/model_breach_alert/sample_event.json deleted file mode 100755 index 8766072976..0000000000 --- a/packages/darktrace/0.1.0/data_stream/model_breach_alert/sample_event.json +++ /dev/null @@ -1,583 +0,0 @@ -{ - "@timestamp": "2022-07-11T13:04:08.000Z", - "agent": { - "ephemeral_id": "572d7663-c480-491f-b06f-96f0330cf942", - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "darktrace": { - "model_breach_alert": { - "aianalyst_data": [ - { - "related": [ - 1 - ], - "summariser": "BeaconSummary", - "uuid": "1234abcd-1234-1234-1234-123456abcdef" - } - ], - "comment": { - "count": 0 - }, - "creation_time": "2022-07-11T13:04:19.000Z", - "device": { - "did": 3, - "first_seen": "2022-07-11T12:54:49.000Z", - "ip": "81.2.69.142", - "last_seen": "2022-07-11T13:00:18.000Z", - "sid": 1, - "type_label": "Desktop", - "type_name": "desktop" - }, - "model": { - "actions": { - "is_alerting": true, - "is_breach": true, - "is_priority_set": false, - "is_tag_set": false, - "is_type_set": false, - "model": true - }, - "active_times": { - "type": "exclusions", - "version": 2 - }, - "behaviour": "incdec1", - "category": "Informational", - "created": { - "by": "System" - }, - "delay": 0, - "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", - "edited": { - "by": "System" - }, - "in_compliance_behavior_category": false, - "interval": 10800, - "is_active": true, - "is_auto_suppress": true, - "is_auto_updatable": true, - "is_auto_update": true, - "is_sequenced": false, - "is_shared_endpoints": false, - "logic": { - "data_weighted_component_list": [ - { - "cid": 2026, - "weight": 1 - }, - { - "cid": 2024, - "weight": 1 - }, - { - "cid": 2025, - "weight": -100 - } - ], - "target_score": 1, - "type": "weightedComponentList", - "version": 1 - }, - "modified": "2022-07-11T11:47:37.000Z", - "name": "Compromise::Beaconing Activity To External Rare", - "phid": 1072, - "pid": 156, - "priority": 2, - "tags": [ - "AP: C2 Comms" - ], - "throttle": 10800, - "uuid": "1234abcd-1234-1234-1234-123456abcdef", - "version": 23 - }, - "pbid": 1, - "score": 0.674, - "time": "2022-07-11T13:04:08.000Z", - "triggered_components": [ - { - "cbid": 1, - "chid": 2113, - "cid": 2026, - "interval": 3600, - "logic": { - "data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}", - "version": "v0.1" - }, - "metric": { - "label": "External Connections", - "mlid": 1, - "name": "externalconnections" - }, - "size": 11, - "threshold": 10, - "time": "2022-07-11T13:04:08.000Z", - "triggered_filters": [ - { - "arguments": { - "value": 60 - }, - "cfid": 23426, - "comparator_type": "\u003e", - "filter_type": "Beaconing score", - "id": "A", - "trigger": { - "value": "100" - } - }, - { - "arguments": { - "value": 0 - }, - "cfid": 23427, - "comparator_type": "\u003e", - "filter_type": "Individual size up", - "id": "AA", - "trigger": { - "value": "4382" - } - }, - { - "arguments": { - "value": 95 - }, - "cfid": 23428, - "comparator_type": "\u003e", - "filter_type": "Rare domain", - "id": "AB", - "trigger": { - "value": "100" - } - }, - { - "arguments": { - "value": 1209600 - }, - "cfid": 23430, - "comparator_type": "\u003c", - "filter_type": "Age of destination", - "id": "AD", - "trigger": { - "value": "558" - } - }, - { - "arguments": { - "value": 1209600 - }, - "cfid": 23431, - "comparator_type": "\u003c", - "filter_type": "Age of external hostname", - "id": "AE", - "trigger": { - "value": "558" - } - }, - { - "arguments": { - "value": "examples" - }, - "cfid": 23432, - "comparator_type": "does not match regular expression", - "filter_type": "Connection hostname", - "id": "AF", - "trigger": { - "value": "example.com" - } - }, - { - "arguments": { - "value": "examples" - }, - "cfid": 23433, - "comparator_type": "does not match regular expression", - "filter_type": "ASN", - "id": "AG", - "trigger": { - "value": "AS12345 LOCAL-02" - } - }, - { - "arguments": { - "value": "5d41402abc4b2a76b9719d911017c592" - }, - "cfid": 23434, - "comparator_type": "does not match", - "filter_type": "JA3 hash", - "id": "AH", - "trigger": { - "value": "5d41402abc4b2a76b9719d911017c592" - } - }, - { - "arguments": { - "value": 95 - }, - "cfid": 23435, - "comparator_type": "\u003e", - "filter_type": "Rare external IP", - "id": "B", - "trigger": { - "value": "100" - } - }, - { - "arguments": { - "value": "1003" - }, - "cfid": 23436, - "comparator_type": "is not", - "filter_type": "Application protocol", - "id": "C", - "trigger": { - "value": "1004" - } - }, - { - "arguments": { - "value": 53 - }, - "cfid": 23437, - "comparator_type": "!=", - "filter_type": "Destination port", - "id": "D", - "trigger": { - "value": "443" - } - }, - { - "arguments": { - "value": "out" - }, - "cfid": 23438, - "comparator_type": "is", - "filter_type": "Direction", - "id": "E", - "trigger": { - "value": "out" - } - }, - { - "arguments": { - "value": 137 - }, - "cfid": 23439, - "comparator_type": "!=", - "filter_type": "Destination port", - "id": "H", - "trigger": { - "value": "443" - } - }, - { - "arguments": { - "value": 161 - }, - "cfid": 23440, - "comparator_type": "!=", - "filter_type": "Destination port", - "id": "I", - "trigger": { - "value": "443" - } - }, - { - "arguments": { - "value": "6" - }, - "cfid": 23441, - "comparator_type": "is", - "filter_type": "Protocol", - "id": "J", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "Company" - }, - "cfid": 23442, - "comparator_type": "does not contain", - "filter_type": "ASN", - "id": "K", - "trigger": { - "value": "AS12345 LOCAL-02" - } - }, - { - "arguments": { - "value": "Company" - }, - "cfid": 23443, - "comparator_type": "does not contain", - "filter_type": "ASN", - "id": "L", - "trigger": { - "value": "AS12345 LOCAL-02" - } - }, - { - "arguments": { - "value": "13" - }, - "cfid": 23444, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "M", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "5" - }, - "cfid": 23445, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "N", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "9" - }, - "cfid": 23446, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "O", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "12" - }, - "cfid": 23447, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "P", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "30" - }, - "cfid": 23448, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "S", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "4" - }, - "cfid": 23449, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "U", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "3" - }, - "cfid": 23450, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "V", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "false" - }, - "cfid": 23451, - "comparator_type": "is", - "filter_type": "Trusted hostname", - "id": "X", - "trigger": { - "value": "false" - } - }, - { - "arguments": { - "value": 26 - }, - "cfid": 23452, - "comparator_type": "does not have tag", - "filter_type": "Tagged internal source", - "id": "Y", - "trigger": { - "tag": { - "data": { - "auto": false, - "color": 5, - "visibility": "Public" - }, - "expiry": 0, - "is_referenced": true, - "name": "No Device Tracking", - "restricted": false, - "thid": 26, - "tid": 26 - }, - "value": "26" - } - }, - { - "arguments": { - "value": 0 - }, - "cfid": 23453, - "comparator_type": "\u003e", - "filter_type": "Individual size down", - "id": "Z", - "trigger": { - "value": "5862" - } - }, - { - "cfid": 23454, - "comparator_type": "display", - "filter_type": "JA3 hash", - "id": "d1", - "trigger": { - "value": "5d41402abc4b2a76b9719d911017c592" - } - }, - { - "cfid": 23455, - "comparator_type": "display", - "filter_type": "ASN", - "id": "d2", - "trigger": { - "value": "AS12345 LOCAL-02" - } - }, - { - "cfid": 23456, - "comparator_type": "display", - "filter_type": "Destination IP", - "id": "d3", - "trigger": { - "value": "81.2.69.192" - } - }, - { - "cfid": 23457, - "comparator_type": "display", - "filter_type": "Connection hostname", - "id": "d4", - "trigger": { - "value": "example.com" - } - } - ] - } - ] - } - }, - "data_stream": { - "dataset": "darktrace.model_breach_alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "snapshot": false, - "version": "8.2.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-11T13:04:19.000Z", - "dataset": "darktrace.model_breach_alert", - "ingested": "2022-09-30T11:39:13Z", - "kind": "event", - "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", - "risk_score": 0.674, - "risk_score_norm": 67.4, - "severity": 2, - "start": [ - "2022-07-11T13:04:08.000Z" - ], - "type": [ - "info", - "connection" - ] - }, - "host": { - "id": "3", - "ip": [ - "81.2.69.142" - ], - "type": "desktop" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.128.5:60206" - }, - "syslog": { - "facility": { - "code": 20, - "name": "local4" - }, - "hostname": "example.cloud.darktrace.com", - "priority": 165, - "severity": { - "code": 5, - "name": "Notice" - }, - "version": "1" - } - }, - "related": { - "ip": [ - "81.2.69.142" - ], - "user": [ - "System" - ] - }, - "rule": { - "author": "System", - "category": "Informational", - "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", - "name": "Compromise::Beaconing Activity To External Rare", - "ruleset": [ - "AP: C2 Comms" - ], - "uuid": "1234abcd-1234-1234-1234-123456abcdef", - "version": "23" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "darktrace-model_breach_alert" - ] -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/0.1.0/data_stream/system_status_alert/agent/stream/tcp.yml.hbs deleted file mode 100755 index b1d260f0f9..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -{{#if tcp_options}} -{{tcp_options}} -{{/if}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- syslog: - field: message -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/agent/stream/udp.yml.hbs b/packages/darktrace/0.1.0/data_stream/system_status_alert/agent/stream/udp.yml.hbs deleted file mode 100755 index f342c4fa75..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -{{#if udp_options}} -{{udp_options}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- syslog: - field: message -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/0.1.0/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50abd1f616..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,235 +0,0 @@ ---- -description: Pipeline for processing System Status Alert logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - grok: - field: message - patterns: - - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" - pattern_definitions: - FIELD: "[a-zA-Z]*" - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.uuid - - json.last_updated - - json.last_updated_status - - json.message - target_field: _id - ignore_missing: true - - set: - field: event.type - value: [info] - - set: - field: event.kind - value: event - - set: - field: event.kind - value: alert - if: (['active','resolved'].contains(ctx.json?.status?.toLowerCase())) - - date: - field: json.last_updated - target_field: darktrace.system_status_alert.last_updated - formats: - - ISO8601 - - UNIX - - UNIX_MS - - 'MMM dd HH:mm:ss' - if: ctx.json?.last_updated != null - on_failure: - - remove: - field: json.last_updated - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: darktrace.system_status_alert.last_updated - ignore_failure: true - - rename: - field: json.uuid - target_field: darktrace.system_status_alert.uuid - ignore_missing: true - - set: - field: event.id - copy_from: darktrace.system_status_alert.uuid - ignore_failure: true - - rename: - field: json.message - target_field: darktrace.system_status_alert.message - ignore_missing: true - - set: - field: event.reason - copy_from: darktrace.system_status_alert.message - ignore_failure: true - - convert: - field: json.priority - target_field: darktrace.system_status_alert.priority - type: double - ignore_missing: true - on_failure: - - remove: - field: json.priority - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.risk_score - copy_from: darktrace.system_status_alert.priority - ignore_failure: true - - set: - field: event.risk_score_norm - copy_from: darktrace.system_status_alert.priority - ignore_failure: true - - uri_parts: - field: json.url - target_field: darktrace.system_status_alert.url - if: ctx.json?.url != null - keep_original: true - on_failure: - - remove: - field: json.url - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.url - copy_from: darktrace.system_status_alert.url.original - ignore_failure: true - - rename: - field: json.hostname - target_field: darktrace.system_status_alert.hostname - ignore_missing: true - - convert: - field: darktrace.system_status_alert.hostname - target_field: darktrace.system_status_alert._temp_.hostname_ip - type: ip - ignore_missing: true - on_failure: - - set: - field: host.hostname - copy_from: darktrace.system_status_alert.hostname - ignore_failure: true - - append: - field: related.ip - value: '{{{darktrace.system_status_alert._temp_.hostname_ip}}}' - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{host.hostname}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: json.ip_address - target_field: darktrace.system_status_alert._temp_.ip_address - type: ip - ignore_failure: true - - set: - field: host.ip - copy_from: darktrace.system_status_alert._temp_.ip_address - ignore_failure: true - - append: - field: related.ip - value: '{{{host.ip}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.ip_address - target_field: darktrace.system_status_alert.ip_address - ignore_missing: true - - remove: - field: darktrace.system_status_alert._temp_ - ignore_missing: true - - rename: - field: json.acknowledge_timeout - target_field: darktrace.system_status_alert.acknowledge_timeout - ignore_missing: true - - rename: - field: json.alert_name - target_field: darktrace.system_status_alert.alert_name - ignore_missing: true - - convert: - field: json.child_id - target_field: darktrace.system_status_alert.child_id - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.last_updated_status - target_field: darktrace.system_status_alert.last_updated_status - formats: - - ISO8601 - - UNIX - - UNIX_MS - - 'MMM dd HH:mm:ss' - if: ctx.json?.last_updated_status != null - on_failure: - - remove: - field: json.last_updated_status - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.name - target_field: darktrace.system_status_alert.name - ignore_missing: true - - rename: - field: json.priority_level - target_field: darktrace.system_status_alert.priority_level - ignore_missing: true - - lowercase: - field: json.status - target_field: darktrace.system_status_alert.status - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - field: - - darktrace.system_status_alert.last_updated - - darktrace.system_status_alert.uuid - - darktrace.system_status_alert.message - - darktrace.system_status_alert.priority - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/agent.yml b/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/agent.yml deleted file mode 100755 index 10023a1174..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/agent.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: >- - If the host is a container. - - name: os.build - type: keyword - example: '18D109' - description: >- - OS build information. - - name: os.codename - type: keyword - example: 'stretch' - description: >- - OS codename, if any. -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/base-fields.yml b/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/base-fields.yml deleted file mode 100755 index ba05367fe7..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module. - value: darktrace -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: darktrace.system_status_alert -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/ecs.yml b/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/ecs.yml deleted file mode 100755 index d16f40b89a..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/ecs.yml +++ /dev/null @@ -1,119 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - Normalized risk score or priority of the event, on a scale of 0 to 100. - This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - name: event.risk_score_norm - type: float -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: The device or application that originated the Syslog message, if available. - name: log.syslog.appname - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. - name: log.syslog.hostname - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. - name: log.syslog.version - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/fields.yml b/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/fields.yml deleted file mode 100755 index 5bd54f4a6b..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/fields/fields.yml +++ /dev/null @@ -1,70 +0,0 @@ -- name: darktrace.system_status_alert - type: group - fields: - - name: acknowledge_timeout - type: keyword - description: When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases. - - name: alert_name - type: keyword - description: A human readable name of the alert type. - - name: child_id - type: long - description: For probes (physical or virtual), the unique ID associated with the probe. - - name: hostname - type: keyword - description: The hostname (if known) of the host experiencing the system alert. An exception exists for disconnection notices, where the hostname will be of the master from which the instance has disconnected. - - name: ip_address - type: keyword - description: The IP of the host experiencing the system alert. An exception exists for disconnection notices, where the IP will be of the master from which the instance has disconnected. - - name: last_updated - type: date - description: A timestamp in epoch time that the system alert itself was updated. - - name: last_updated_status - type: date - description: A timestamp in epoch time that the status of the system alert was last updated globally. A status update is distinct from a update to the alert itself. - - name: message - type: keyword - description: A textual description of the system event that has triggered the alert. - - name: name - type: keyword - description: A system name of the alert type. - - name: priority - type: double - description: The numeric criticality associated with the alert. - - name: priority_level - type: keyword - description: 'The criticality of the alert. This value is calculated from the priority value: 0 - 40 low, 41 - 60 medium, 61 - 80 high, 81 - 100 critical.' - - name: status - type: keyword - description: The current status of the alert. Active alerts are ongoing, acknowledged events are those acknowledged on the System Status page, resolved alerts are system alerts that are no longer ongoing. Alerts will only be sent when alert enters the “active” or “resolved” state. - - name: url - type: group - fields: - - name: domain - type: keyword - - name: extension - type: keyword - - name: fragment - type: keyword - - name: full - type: keyword - - name: original - type: keyword - - name: password - type: keyword - - name: path - type: keyword - - name: port - type: long - - name: query - type: keyword - - name: scheme - type: keyword - - name: username - type: keyword - - name: uuid - type: keyword - description: A consistent UUID that can be used to navigate to the specific alert in the Threat Visualizer (https://[instance]/sysstatus/[uuid]). Where an alert is reactivated after resolution due to the issue reoccurring, the UUId will remain consistent across alerts. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/manifest.yml b/packages/darktrace/0.1.0/data_stream/system_status_alert/manifest.yml deleted file mode 100755 index 1f115305dc..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/manifest.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: Collect System Status Alert logs from Darktrace -type: logs -streams: - - input: tcp - title: System Status Alert logs - description: Collect System Status Alert logs via TCP input. - template_path: tcp.yml.hbs - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9573 - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - max_message_size: 50KiB - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - darktrace-system_status_alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: udp - title: System Status Alert logs - description: Collect System Status Alert logs via UDP input. - template_path: udp.yml.hbs - vars: - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9576 - - name: udp_options - type: yaml - title: Custom UDP Options - multi: false - required: false - show_user: false - default: | - max_message_size: 50KiB - #timeout: 300s - description: Specify custom configuration options for the UDP input. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - darktrace-system_status_alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/0.1.0/data_stream/system_status_alert/sample_event.json b/packages/darktrace/0.1.0/data_stream/system_status_alert/sample_event.json deleted file mode 100755 index 31283fa03a..0000000000 --- a/packages/darktrace/0.1.0/data_stream/system_status_alert/sample_event.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "@timestamp": "2021-04-18T15:44:11.000Z", - "agent": { - "ephemeral_id": "5b042cea-01fa-47a2-ab0f-ac1f7baa6bd2", - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "darktrace": { - "system_status_alert": { - "alert_name": "Advanced Search", - "child_id": 1, - "hostname": "example-vsensor", - "ip_address": "175.16.199.1", - "last_updated": "2021-04-18T15:44:11.000Z", - "last_updated_status": "2021-04-18T15:44:11.000Z", - "message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", - "name": "advanced_search", - "priority": 43, - "priority_level": "medium", - "status": "active", - "uuid": "abcdabcd-1234-1234-1234-3abababcdcd3" - } - }, - "data_stream": { - "dataset": "darktrace.system_status_alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "snapshot": false, - "version": "8.2.1" - }, - "event": { - "agent_id_status": "verified", - "dataset": "darktrace.system_status_alert", - "id": "abcdabcd-1234-1234-1234-3abababcdcd3", - "ingested": "2022-09-30T11:41:35Z", - "kind": "alert", - "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", - "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", - "risk_score": 43, - "risk_score_norm": 43, - "type": [ - "info" - ] - }, - "host": { - "hostname": "example-vsensor", - "ip": "175.16.199.1" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.128.5:36197" - }, - "syslog": { - "facility": { - "code": 20, - "name": "local4" - }, - "hostname": "example.cloud.darktrace.com", - "priority": 165, - "severity": { - "code": 5, - "name": "Notice" - }, - "version": "1" - } - }, - "related": { - "hosts": [ - "example-vsensor" - ], - "ip": [ - "175.16.199.1" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "darktrace-system_status_alert" - ] -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/docs/README.md b/packages/darktrace/0.1.0/docs/README.md deleted file mode 100755 index fe1804a854..0000000000 --- a/packages/darktrace/0.1.0/docs/README.md +++ /dev/null @@ -1,1462 +0,0 @@ -# Darktrace - -## Overview - -The [Darktrace](https://darktrace.com/) integration allows you to monitor Alert Logs. Darktrace is a network solution for detecting and investigating emerging cyber-threats that evade traditional security tools. It is powered by Enterprise Immune System technology, which uses machine learning and mathematics to monitor behaviors and detect anomalies in your organization’s network. - -Use the Darktrace integration to collect and parse data from the REST APIs or via Syslog. Then visualise that data in Kibana. - -For example, you could use the data from this integration to know which model is breached and analyse model breaches, and also know about system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. - -## Data streams - -The Darktrace integration collects logs for three types of events: AI Analyst Alert, Model Breach Alert and System Status Alert. - -**AI Analyst Alert** is generated by investigates, analyzes, and reports upon threats seen within your Darktrace environment; as a starting point, it reviews and investigates all Model Breaches that occur on the system. If behavior which would be of interest to a cyber analyst is detected, an event is created. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-aia-json-schema). - -**Model Breach Alert** is generated when a model breach is triggered. A model is used to define a set of conditions which, when met, will alert the system to the occurrence of a particular event or chain of anomalous behavior. Darktrace models are focused on pattern-of-life anomaly detection, potentially malicious behavior, and compliance issues. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-json-schema). - -**System Status Alert** keep Darktrace operators informed of system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. System Status Alerts include details of the originating host, the severity of the event, and links that may be helpful to investigate or resolve the issue. Notifications are sent for active system events and (optionally) on event resolution. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-json-system-schema). - -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. - -Firewall exceptions to allow communication from the Darktrace master instance to the Syslog server. - -This module has been tested against **Darktrace Threat Visualizer v5.2**. - -## Setup - -### To collect data from Darktrace REST APIs, follow the below steps: - -1. Hostname URL will be your . (Threat Visualizer Console Hostname) -2. Public and Private Token will be generated by following this [Link](https://customerportal.darktrace.com/product-guides/main/api-tokens). - -**Note:** System Status Alert are not supported by REST API. - -### To collect data from Darktrace via Syslog, follow the below steps: - -The user needs to create a different Syslog Forwarder with different ports for each data stream. - -The process for configuring syslog-format alerts is identical for AI Analyst Alerts, Model Breach Alerts and System Status Alerts. Generic configuration guidance is provided below: - -1. Open the Darktrace Threat Visualizer Dashboard and navigate to the **System Config** page. (**Main menu › Admin**). -2. From the left-side menu, select **Modules**, then navigate to the **Workflow Integrations** section and choose **Syslog**. -3. Select **Syslog JSON** tab and click **New** to set up new Syslog Forwarder. -4. Enter the **IP Address**  and **Port** of the Elastic Agent that is running the integration in the **Server** and **Server Port** field respectively. - -For more details, see [Documentation](https://customerportal.darktrace.com/product-guides/main/json-alerts). - -**Note:** - - It is recommended to turn on **Full Timestamps** toggle in **Show Advanced Options** to get the full timestamp instead of the RFC3164-formatted timestamp. - - It is also recommended to turn off **Reduced Message Size** toggle in **Show Advanced Options** to get more information about alerts. - -### After following generic guidance steps, below are the steps for collecting individual logs for all three data streams. - -#### For AI Analyst Alert, below are the suggested configurations to collect all the events of AI Analyst Alert: - -- Configure the following settings in **Show Advanced Options**: - -| Field Name | Value | -| --------------------------------------- | ----------------------------------- | -| Send AI Analyst Alerts | ON | -| Send AI Analyst Alerts Immediately | ON | -| AI Analyst Behavior Filter | Critical, Suspicious and Compliance | -| Minimum AI Analyst Incident Event Score | 0 | -| Minimum AI Analyst Incident Score | 0 | -| Legacy AI Analyst Alerts | OFF | - -#### For Model Breach Alert, below are the suggested configurations to collect all the events of Model Breach Alert: - -- Configure the following settings in **Show Advanced Options**: - -| Field Name | Value | -| ---------------------------- | -------------------------------------------------- | -| Send Model Breach Alerts | ON | -| Model Breach Behavior Filter | Critical, Suspicious, Compliance and Informational | -| Minimum Breach Score | 0 | -| Minimum Breach Priority | 0 | -| Model Expression | N/A | -| Model Tags Expression | N/A | -| Device IP Addresses | N/A | -| Device Tags Addresses | N/A | - -#### For System Status Alert, below are the suggested configurations to collect all the events of System Status Alert: - -- Configure the following settings in **Show Advanced Options**: - -| Field Name | Value | -| ---------------------------------- | ------------- | -| Send System Status Alerts | ON | -| Send Resolved System Status Alerts | ON | -| Minimum System Status Priority | Informational | - -### See more about [Syslog Filters and Optional Settings](https://customerportal.darktrace.com/product-guides/main/syslog-json-alert-settings) - -**Note** : A Fully Qualified Domain Name (FQDN) must be configured for the Darktrace instance in order for links to be included in external alerts. - - An FQDN can be configured from the **System** subsection on the **Settings** tab of the Darktrace **System Config** page. - -## Logs reference - -### ai_analyst_alert - -This is the `ai_analyst_alert` dataset. - -#### Example - -An example event for `ai_analyst_alert` looks as following: - -```json -{ - "@timestamp": "2021-08-03T14:48:09.240Z", - "agent": { - "ephemeral_id": "82482032-e103-4c45-a00e-103ac604f4ae", - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "darktrace": { - "ai_analyst_alert": { - "activity_id": "abcd1234", - "aia_score": 98, - "attack_phases": [ - 5 - ], - "breach_devices": [ - { - "did": 10, - "ip": "81.2.69.144", - "sid": 12, - "subnet": "VPN" - } - ], - "category": "critical", - "children": [ - "eabcdef0-1234-1234-1234-cabcdefghij9" - ], - "created_at": "2021-08-03T14:48:09.240Z", - "current_group": "eabc1234-1234-1234-1234-cabcdefg0011", - "details": [ - [ - { - "contents": [ - { - "type": "device", - "values": [ - { - "did": 10, - "ip": "175.16.199.1", - "sid": 12, - "subnet": "VPN" - } - ] - } - ], - "header": "Breaching Device" - } - ], - [ - { - "contents": [ - { - "key": "Time", - "type": "timestampRange", - "values": [ - { - "end": 1628000141220, - "start": 1627985298683 - } - ] - }, - { - "key": "Number of unique IPs", - "type": "integer", - "values": [ - 16 - ] - }, - { - "key": "Targeted IP ranges include", - "type": "device", - "values": [ - { - "ip": "81.2.69.192" - }, - { - "ip": "175.16.199.1" - }, - { - "ip": "175.16.199.3" - } - ] - }, - { - "key": "Destination port", - "type": "integer", - "values": [ - 22 - ] - }, - { - "key": "Connection count", - "type": "integer", - "values": [ - 40 - ] - }, - { - "key": "Percentage successful", - "type": "percentage", - "values": [ - 100 - ] - } - ], - "header": "SSH Activity" - } - ] - ], - "group_by_activity": false, - "group_category": "critical", - "group_score": 72.9174234, - "grouping_ids": [ - "abcdef12" - ], - "id": "eabc0011-1234-1234-1234-cabcdefg0011", - "is_acknowledged": false, - "is_external_triggered": false, - "is_pinned": true, - "is_user_triggered": false, - "periods": [ - { - "end": "2021-08-03T14:15:41.220Z", - "start": "2021-08-03T10:08:18.683Z" - } - ], - "related_breaches": [ - { - "model_name": "Unusual Activity / Unusual Activity from Re-Activated Device", - "pbid": 1234, - "threat_score": 37, - "timestamp": "2021-08-03T13:25:57.000Z" - } - ], - "summariser": "AdminConnSummary", - "summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", - "title": "Extensive Unusual SSH Connections" - } - }, - "data_stream": { - "dataset": "darktrace.ai_analyst_alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "snapshot": false, - "version": "8.2.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "threat" - ], - "dataset": "darktrace.ai_analyst_alert", - "duration": [ - 14842537000000 - ], - "end": [ - "2021-08-03T14:15:41.220Z" - ], - "id": "eabc0011-1234-1234-1234-cabcdefg0011", - "ingested": "2022-09-30T11:36:06Z", - "kind": "alert", - "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", - "reason": "Extensive Unusual SSH Connections", - "risk_score": 98, - "risk_score_norm": 98, - "start": [ - "2021-08-03T10:08:18.683Z" - ], - "type": [ - "info" - ] - }, - "host": { - "id": [ - "10" - ], - "ip": [ - "81.2.69.144" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.128.5:49066" - }, - "syslog": { - "facility": { - "code": 20, - "name": "local4" - }, - "hostname": "example.cloud.darktrace.com", - "priority": 165, - "severity": { - "code": 5, - "name": "Notice" - }, - "version": "1" - } - }, - "message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", - "related": { - "ip": [ - "81.2.69.144", - "175.16.199.1", - "81.2.69.192", - "175.16.199.3" - ] - }, - "rule": { - "name": [ - "Unusual Activity / Unusual Activity from Re-Activated Device" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "darktrace-ai_analyst_alert" - ], - "threat": { - "enrichments": { - "matched": { - "id": [ - "eabcdef0-1234-1234-1234-cabcdefghij9" - ] - } - }, - "group": { - "id": "eabc1234-1234-1234-1234-cabcdefg0011" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| darktrace.ai_analyst_alert.activity_id | An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident. | keyword | -| darktrace.ai_analyst_alert.aia_score | The score of the event as classified by AI Analyst - out of 100. | double | -| darktrace.ai_analyst_alert.attack_phases | Of the six attack phases, which phases are applicable to the activity. | long | -| darktrace.ai_analyst_alert.breach_devices.did | The unique device id identifier for the device that triggered the breach. This field is used to group events into device-based incidents within the Threat Visualizer. | long | -| darktrace.ai_analyst_alert.breach_devices.hostname | The hostname associated with the device, if available. | keyword | -| darktrace.ai_analyst_alert.breach_devices.identifier | An identifier for the device used when constructing summaries or reports. May be the device label, hostname or IP, depending on availability. | keyword | -| darktrace.ai_analyst_alert.breach_devices.ip | The IP associated with the device. | keyword | -| darktrace.ai_analyst_alert.breach_devices.mac_address | The MAC address associated with the device. | keyword | -| darktrace.ai_analyst_alert.breach_devices.sid | The subnet id for the subnet the device is currently located in. | long | -| darktrace.ai_analyst_alert.breach_devices.subnet | The subnet label for the corresponding subnet, if available. | keyword | -| darktrace.ai_analyst_alert.category | The behavior category associated with the incident event. | keyword | -| darktrace.ai_analyst_alert.children | One or more unique identifiers that can be used to request this AI Analyst event via the UI or API. Where there is more than one uuid, requests can be made with comma-separated values. | keyword | -| darktrace.ai_analyst_alert.created_at | Timestamp for event creation in epoch time. | date | -| darktrace.ai_analyst_alert.current_group | The UUID of the current incident this event belongs to. | keyword | -| darktrace.ai_analyst_alert.details | An array of multiple sections (sub-arrays) of event information. | flattened | -| darktrace.ai_analyst_alert.group_by_activity | Used by pre-v5.2 legacy incident construction. Indicates whether the event should be aggregated by activity or by device to create an incident. When true, the event should be aggregated by activityID, and when false, aggregated by groupingID(s). | boolean | -| darktrace.ai_analyst_alert.group_category | The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. | keyword | -| darktrace.ai_analyst_alert.group_previous_groups | If the incident event was part of an incident which was later merged with another, the UUIDs of the incidents before they were merged. | keyword | -| darktrace.ai_analyst_alert.group_score | The current overall score of the incident this event is part of. | double | -| darktrace.ai_analyst_alert.grouping_ids | Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false , this field should be used to group events together into an incident. | keyword | -| darktrace.ai_analyst_alert.id | A system field. | keyword | -| darktrace.ai_analyst_alert.incident_event_url.domain | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.extension | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.fragment | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.full | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.original | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.password | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.path | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.port | | long | -| darktrace.ai_analyst_alert.incident_event_url.query | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.scheme | | keyword | -| darktrace.ai_analyst_alert.incident_event_url.username | | keyword | -| darktrace.ai_analyst_alert.is_acknowledged | Whether the event has been acknowledged. | boolean | -| darktrace.ai_analyst_alert.is_external_triggered | Whether the event was created as a result of an externally triggered AI Analyst investigation. | boolean | -| darktrace.ai_analyst_alert.is_pinned | Whether the event, or an incident that the event is associated with, is pinned within the Threat Visualizer user interface. Pinned events will always return regardless of the timeframe specified. | boolean | -| darktrace.ai_analyst_alert.is_user_triggered | Whether the event was created as a result of a user-triggered AI Analyst investigation. | boolean | -| darktrace.ai_analyst_alert.periods.end | A timestamp for the end of the activity period in epoch time. | date | -| darktrace.ai_analyst_alert.periods.start | A timestamp for the start of the activity period in epoch time. | date | -| darktrace.ai_analyst_alert.related_breaches.model_name | The name of the model that breached. | keyword | -| darktrace.ai_analyst_alert.related_breaches.pbid | The policy breach ID unique identifier of the model breach. | long | -| darktrace.ai_analyst_alert.related_breaches.threat_score | The breach score of the associated model breach - out of 100. | long | -| darktrace.ai_analyst_alert.related_breaches.timestamp | The timestamp at which the model breach occurred in epoch time. | date | -| darktrace.ai_analyst_alert.summariser | A system field. | keyword | -| darktrace.ai_analyst_alert.summary | A textual summary of the suspicious activity. This example is abbreviated. | keyword | -| darktrace.ai_analyst_alert.title | A title describing the activity that occurred. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.enrichments.matched.id | Identifies the _id of the indicator document enriching the event. | keyword | -| threat.group.id | The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. | keyword | - - -### model_breach_alert - -This is the `model_breach_alert` dataset. - -#### Example - -An example event for `model_breach_alert` looks as following: - -```json -{ - "@timestamp": "2022-07-11T13:04:08.000Z", - "agent": { - "ephemeral_id": "572d7663-c480-491f-b06f-96f0330cf942", - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "darktrace": { - "model_breach_alert": { - "aianalyst_data": [ - { - "related": [ - 1 - ], - "summariser": "BeaconSummary", - "uuid": "1234abcd-1234-1234-1234-123456abcdef" - } - ], - "comment": { - "count": 0 - }, - "creation_time": "2022-07-11T13:04:19.000Z", - "device": { - "did": 3, - "first_seen": "2022-07-11T12:54:49.000Z", - "ip": "81.2.69.142", - "last_seen": "2022-07-11T13:00:18.000Z", - "sid": 1, - "type_label": "Desktop", - "type_name": "desktop" - }, - "model": { - "actions": { - "is_alerting": true, - "is_breach": true, - "is_priority_set": false, - "is_tag_set": false, - "is_type_set": false, - "model": true - }, - "active_times": { - "type": "exclusions", - "version": 2 - }, - "behaviour": "incdec1", - "category": "Informational", - "created": { - "by": "System" - }, - "delay": 0, - "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", - "edited": { - "by": "System" - }, - "in_compliance_behavior_category": false, - "interval": 10800, - "is_active": true, - "is_auto_suppress": true, - "is_auto_updatable": true, - "is_auto_update": true, - "is_sequenced": false, - "is_shared_endpoints": false, - "logic": { - "data_weighted_component_list": [ - { - "cid": 2026, - "weight": 1 - }, - { - "cid": 2024, - "weight": 1 - }, - { - "cid": 2025, - "weight": -100 - } - ], - "target_score": 1, - "type": "weightedComponentList", - "version": 1 - }, - "modified": "2022-07-11T11:47:37.000Z", - "name": "Compromise::Beaconing Activity To External Rare", - "phid": 1072, - "pid": 156, - "priority": 2, - "tags": [ - "AP: C2 Comms" - ], - "throttle": 10800, - "uuid": "1234abcd-1234-1234-1234-123456abcdef", - "version": 23 - }, - "pbid": 1, - "score": 0.674, - "time": "2022-07-11T13:04:08.000Z", - "triggered_components": [ - { - "cbid": 1, - "chid": 2113, - "cid": 2026, - "interval": 3600, - "logic": { - "data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}", - "version": "v0.1" - }, - "metric": { - "label": "External Connections", - "mlid": 1, - "name": "externalconnections" - }, - "size": 11, - "threshold": 10, - "time": "2022-07-11T13:04:08.000Z", - "triggered_filters": [ - { - "arguments": { - "value": 60 - }, - "cfid": 23426, - "comparator_type": "\u003e", - "filter_type": "Beaconing score", - "id": "A", - "trigger": { - "value": "100" - } - }, - { - "arguments": { - "value": 0 - }, - "cfid": 23427, - "comparator_type": "\u003e", - "filter_type": "Individual size up", - "id": "AA", - "trigger": { - "value": "4382" - } - }, - { - "arguments": { - "value": 95 - }, - "cfid": 23428, - "comparator_type": "\u003e", - "filter_type": "Rare domain", - "id": "AB", - "trigger": { - "value": "100" - } - }, - { - "arguments": { - "value": 1209600 - }, - "cfid": 23430, - "comparator_type": "\u003c", - "filter_type": "Age of destination", - "id": "AD", - "trigger": { - "value": "558" - } - }, - { - "arguments": { - "value": 1209600 - }, - "cfid": 23431, - "comparator_type": "\u003c", - "filter_type": "Age of external hostname", - "id": "AE", - "trigger": { - "value": "558" - } - }, - { - "arguments": { - "value": "examples" - }, - "cfid": 23432, - "comparator_type": "does not match regular expression", - "filter_type": "Connection hostname", - "id": "AF", - "trigger": { - "value": "example.com" - } - }, - { - "arguments": { - "value": "examples" - }, - "cfid": 23433, - "comparator_type": "does not match regular expression", - "filter_type": "ASN", - "id": "AG", - "trigger": { - "value": "AS12345 LOCAL-02" - } - }, - { - "arguments": { - "value": "5d41402abc4b2a76b9719d911017c592" - }, - "cfid": 23434, - "comparator_type": "does not match", - "filter_type": "JA3 hash", - "id": "AH", - "trigger": { - "value": "5d41402abc4b2a76b9719d911017c592" - } - }, - { - "arguments": { - "value": 95 - }, - "cfid": 23435, - "comparator_type": "\u003e", - "filter_type": "Rare external IP", - "id": "B", - "trigger": { - "value": "100" - } - }, - { - "arguments": { - "value": "1003" - }, - "cfid": 23436, - "comparator_type": "is not", - "filter_type": "Application protocol", - "id": "C", - "trigger": { - "value": "1004" - } - }, - { - "arguments": { - "value": 53 - }, - "cfid": 23437, - "comparator_type": "!=", - "filter_type": "Destination port", - "id": "D", - "trigger": { - "value": "443" - } - }, - { - "arguments": { - "value": "out" - }, - "cfid": 23438, - "comparator_type": "is", - "filter_type": "Direction", - "id": "E", - "trigger": { - "value": "out" - } - }, - { - "arguments": { - "value": 137 - }, - "cfid": 23439, - "comparator_type": "!=", - "filter_type": "Destination port", - "id": "H", - "trigger": { - "value": "443" - } - }, - { - "arguments": { - "value": 161 - }, - "cfid": 23440, - "comparator_type": "!=", - "filter_type": "Destination port", - "id": "I", - "trigger": { - "value": "443" - } - }, - { - "arguments": { - "value": "6" - }, - "cfid": 23441, - "comparator_type": "is", - "filter_type": "Protocol", - "id": "J", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "Company" - }, - "cfid": 23442, - "comparator_type": "does not contain", - "filter_type": "ASN", - "id": "K", - "trigger": { - "value": "AS12345 LOCAL-02" - } - }, - { - "arguments": { - "value": "Company" - }, - "cfid": 23443, - "comparator_type": "does not contain", - "filter_type": "ASN", - "id": "L", - "trigger": { - "value": "AS12345 LOCAL-02" - } - }, - { - "arguments": { - "value": "13" - }, - "cfid": 23444, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "M", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "5" - }, - "cfid": 23445, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "N", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "9" - }, - "cfid": 23446, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "O", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "12" - }, - "cfid": 23447, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "P", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "30" - }, - "cfid": 23448, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "S", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "4" - }, - "cfid": 23449, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "U", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "3" - }, - "cfid": 23450, - "comparator_type": "is not", - "filter_type": "Internal source device type", - "id": "V", - "trigger": { - "value": "6" - } - }, - { - "arguments": { - "value": "false" - }, - "cfid": 23451, - "comparator_type": "is", - "filter_type": "Trusted hostname", - "id": "X", - "trigger": { - "value": "false" - } - }, - { - "arguments": { - "value": 26 - }, - "cfid": 23452, - "comparator_type": "does not have tag", - "filter_type": "Tagged internal source", - "id": "Y", - "trigger": { - "tag": { - "data": { - "auto": false, - "color": 5, - "visibility": "Public" - }, - "expiry": 0, - "is_referenced": true, - "name": "No Device Tracking", - "restricted": false, - "thid": 26, - "tid": 26 - }, - "value": "26" - } - }, - { - "arguments": { - "value": 0 - }, - "cfid": 23453, - "comparator_type": "\u003e", - "filter_type": "Individual size down", - "id": "Z", - "trigger": { - "value": "5862" - } - }, - { - "cfid": 23454, - "comparator_type": "display", - "filter_type": "JA3 hash", - "id": "d1", - "trigger": { - "value": "5d41402abc4b2a76b9719d911017c592" - } - }, - { - "cfid": 23455, - "comparator_type": "display", - "filter_type": "ASN", - "id": "d2", - "trigger": { - "value": "AS12345 LOCAL-02" - } - }, - { - "cfid": 23456, - "comparator_type": "display", - "filter_type": "Destination IP", - "id": "d3", - "trigger": { - "value": "81.2.69.192" - } - }, - { - "cfid": 23457, - "comparator_type": "display", - "filter_type": "Connection hostname", - "id": "d4", - "trigger": { - "value": "example.com" - } - } - ] - } - ] - } - }, - "data_stream": { - "dataset": "darktrace.model_breach_alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "snapshot": false, - "version": "8.2.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-11T13:04:19.000Z", - "dataset": "darktrace.model_breach_alert", - "ingested": "2022-09-30T11:39:13Z", - "kind": "event", - "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", - "risk_score": 0.674, - "risk_score_norm": 67.4, - "severity": 2, - "start": [ - "2022-07-11T13:04:08.000Z" - ], - "type": [ - "info", - "connection" - ] - }, - "host": { - "id": "3", - "ip": [ - "81.2.69.142" - ], - "type": "desktop" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.128.5:60206" - }, - "syslog": { - "facility": { - "code": 20, - "name": "local4" - }, - "hostname": "example.cloud.darktrace.com", - "priority": 165, - "severity": { - "code": 5, - "name": "Notice" - }, - "version": "1" - } - }, - "related": { - "ip": [ - "81.2.69.142" - ], - "user": [ - "System" - ] - }, - "rule": { - "author": "System", - "category": "Informational", - "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", - "name": "Compromise::Beaconing Activity To External Rare", - "ruleset": [ - "AP: C2 Comms" - ], - "uuid": "1234abcd-1234-1234-1234-123456abcdef", - "version": "23" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "darktrace-model_breach_alert" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| darktrace.model_breach_alert.aianalyst_data.related | | long | -| darktrace.model_breach_alert.aianalyst_data.summariser | | keyword | -| darktrace.model_breach_alert.aianalyst_data.uuid | | keyword | -| darktrace.model_breach_alert.breach_url.domain | | keyword | -| darktrace.model_breach_alert.breach_url.extension | | keyword | -| darktrace.model_breach_alert.breach_url.fragment | | keyword | -| darktrace.model_breach_alert.breach_url.full | | keyword | -| darktrace.model_breach_alert.breach_url.original | | keyword | -| darktrace.model_breach_alert.breach_url.password | | keyword | -| darktrace.model_breach_alert.breach_url.path | | keyword | -| darktrace.model_breach_alert.breach_url.port | | long | -| darktrace.model_breach_alert.breach_url.query | | keyword | -| darktrace.model_breach_alert.breach_url.scheme | | keyword | -| darktrace.model_breach_alert.breach_url.username | | keyword | -| darktrace.model_breach_alert.comment.count | The number of comments made against this breach. | long | -| darktrace.model_breach_alert.creation_time | The timestamp that the record of the breach was created. This is distinct from the “time” field. | date | -| darktrace.model_breach_alert.device.credentials | | keyword | -| darktrace.model_breach_alert.device.did | The “device id”, a unique identifier. | long | -| darktrace.model_breach_alert.device.first_seen | The first time the device was seen on the network. | date | -| darktrace.model_breach_alert.device.hostname | The current device hostname. | keyword | -| darktrace.model_breach_alert.device.ip | The current IP associated with the device. | keyword | -| darktrace.model_breach_alert.device.ip6 | Current IPv6 address of this device if applicable, otherwise undefined. | keyword | -| darktrace.model_breach_alert.device.ips.ip | A historic IP associated with the device. | keyword | -| darktrace.model_breach_alert.device.ips.sid | The subnet id for the subnet the IP belongs to. | long | -| darktrace.model_breach_alert.device.ips.time | The time the IP was last seen associated with that device in readable format. | date | -| darktrace.model_breach_alert.device.ips.timems | The time the IP was last seen associated with that device in epoch time. | date | -| darktrace.model_breach_alert.device.last_seen | The last time the device was seen on the network. | date | -| darktrace.model_breach_alert.device.mac_address | The current MAC address associated with the device. | keyword | -| darktrace.model_breach_alert.device.sid | The subnet id for the subnet the device is currently located in. | long | -| darktrace.model_breach_alert.device.tags.data.auto | | boolean | -| darktrace.model_breach_alert.device.tags.data.color | | long | -| darktrace.model_breach_alert.device.tags.data.description | | keyword | -| darktrace.model_breach_alert.device.tags.data.visibility | | keyword | -| darktrace.model_breach_alert.device.tags.expiry | | long | -| darktrace.model_breach_alert.device.tags.is_referenced | | boolean | -| darktrace.model_breach_alert.device.tags.name | | keyword | -| darktrace.model_breach_alert.device.tags.restricted | | boolean | -| darktrace.model_breach_alert.device.tags.thid | | long | -| darktrace.model_breach_alert.device.tags.tid | | long | -| darktrace.model_breach_alert.device.type_label | The device type in readable format. | keyword | -| darktrace.model_breach_alert.device.type_name | The device type in system format. | keyword | -| darktrace.model_breach_alert.device.vendor | The vendor of the device network card as derived by Darktrace from the MAC address. | keyword | -| darktrace.model_breach_alert.device_score | | double | -| darktrace.model_breach_alert.is_acknowledged | | boolean | -| darktrace.model_breach_alert.mitre_techniques.id | | keyword | -| darktrace.model_breach_alert.mitre_techniques.name | | keyword | -| darktrace.model_breach_alert.model.actions.antigena.action | The action to be performed. | keyword | -| darktrace.model_breach_alert.model.actions.antigena.duration | The duration in seconds that the antigena action should last for. | long | -| darktrace.model_breach_alert.model.actions.antigena.is_confirm_by_human_operator | Whether the action must be confirmed by a human operator, regardless of the global setting for Human Confirmation mode. | boolean | -| darktrace.model_breach_alert.model.actions.antigena.threshold | The breach score threshold (out of 100) over which antigena will take an action. | long | -| darktrace.model_breach_alert.model.actions.is_alerting | If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. | boolean | -| darktrace.model_breach_alert.model.actions.is_breach | If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. | boolean | -| darktrace.model_breach_alert.model.actions.is_priority_set | If the priority is to be changed on breach, the numeric value it should become. If no priority change action, a false boolean. | boolean | -| darktrace.model_breach_alert.model.actions.is_tag_set | If a tag is to be applied on model breach, a single number or array of the system ID for the tag(s) to be applied. If no tag action, a false boolean. | boolean | -| darktrace.model_breach_alert.model.actions.is_type_set | If a change device type action is to be applied on model breach, the numeric system ID for the label to be applied. If no change device type action is applied to the model, a false boolean. | boolean | -| darktrace.model_breach_alert.model.actions.model | If true, creates an event in the device’s event log without creating an alert/ model breach in the threat tray. | boolean | -| darktrace.model_breach_alert.model.active_times.devices | The device ids for devices on the list. | flattened | -| darktrace.model_breach_alert.model.active_times.tags | A system field. | flattened | -| darktrace.model_breach_alert.model.active_times.type | The type of list: “restrictions” indicates a blacklist, “exclusions” a whitelist. | keyword | -| darktrace.model_breach_alert.model.active_times.version | A system field. | long | -| darktrace.model_breach_alert.model.behaviour | The score modulation function as set in the model editor. | keyword | -| darktrace.model_breach_alert.model.category | The behavior category of the model that was breached. | keyword | -| darktrace.model_breach_alert.model.created.by | Username that created the model. | keyword | -| darktrace.model_breach_alert.model.defeats.arguments.value | The value(s) that must match for the defeat to take effect. | keyword | -| darktrace.model_breach_alert.model.defeats.comparator | The comparator that the value is compared against the create the defeat. | keyword | -| darktrace.model_breach_alert.model.defeats.filtertype | The filter the defeat is made from. | keyword | -| darktrace.model_breach_alert.model.defeats.id | A unique ID for the defeat. | long | -| darktrace.model_breach_alert.model.delay | Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. | long | -| darktrace.model_breach_alert.model.description | The optional description of the model. | keyword | -| darktrace.model_breach_alert.model.edited.by | Username that last edited the model. | keyword | -| darktrace.model_breach_alert.model.edited.userid | | long | -| darktrace.model_breach_alert.model.in_compliance_behavior_category | Whether the model is in the compliance behavior category. | boolean | -| darktrace.model_breach_alert.model.interval | Where a model contains multiple components, this interval represents the time window in seconds in which all the components should fire for this model to be breached. | long | -| darktrace.model_breach_alert.model.is_active | Whether the model is enabled or disabled. | boolean | -| darktrace.model_breach_alert.model.is_auto_suppress | Whether the model will automatically be suppressed in the case of over-breaching. | boolean | -| darktrace.model_breach_alert.model.is_auto_updatable | Whether the model is suitable for auto update. | boolean | -| darktrace.model_breach_alert.model.is_auto_update | Whether the model is enabled for auto update. | boolean | -| darktrace.model_breach_alert.model.is_sequenced | Whether the components are required to fire in the specified order for the model breach to occur. | boolean | -| darktrace.model_breach_alert.model.is_shared_endpoints | For models that contain multiple components that reference an endpoint, this value indicates whether all endpoints should be identical for the model to fire. | boolean | -| darktrace.model_breach_alert.model.logic.data_component_list | This will be a list of component ID numbers. | long | -| darktrace.model_breach_alert.model.logic.data_weighted_component_list.cid | | long | -| darktrace.model_breach_alert.model.logic.data_weighted_component_list.weight | | long | -| darktrace.model_breach_alert.model.logic.target_score | | long | -| darktrace.model_breach_alert.model.logic.type | The type of model. | keyword | -| darktrace.model_breach_alert.model.logic.version | A number representing the version of model logic. | long | -| darktrace.model_breach_alert.model.modified | Timestamp at which the model was last modified, in a readable format. | date | -| darktrace.model_breach_alert.model.name | Name of the model that was breached. | keyword | -| darktrace.model_breach_alert.model.phid | The model “policy history” id. Increments when the model is modified. | long | -| darktrace.model_breach_alert.model.pid | The “policy id” of the model that was breached. | long | -| darktrace.model_breach_alert.model.priority | The model’s priority affects the strength with which it breaches (0-5 scale). | long | -| darktrace.model_breach_alert.model.tags | A list of tags that have been applied to this model in the Threat Visualizer model editor. | keyword | -| darktrace.model_breach_alert.model.throttle | For an individual device, this is the value in seconds for which this model will not fire again. | long | -| darktrace.model_breach_alert.model.uuid | A unique ID that is generated on creation of the model. | keyword | -| darktrace.model_breach_alert.model.version | The version of the model. Increments on each edit. | long | -| darktrace.model_breach_alert.pb_score | The model breach score, represented by a value between 0 and 1. | double | -| darktrace.model_breach_alert.pbid | The “policy breach ID” of the model breach. | long | -| darktrace.model_breach_alert.score | The model breach score, represented by a value between 0 and 1. | double | -| darktrace.model_breach_alert.time | The timestamp when the record was created in epoch time. | date | -| darktrace.model_breach_alert.triggered_components.cbid | The “component breach id”. A unique identifier for the component breach. | long | -| darktrace.model_breach_alert.triggered_components.chid | The “component history id”. Increments when the component is edited. | long | -| darktrace.model_breach_alert.triggered_components.cid | The “component id”. A unique identifier. | long | -| darktrace.model_breach_alert.triggered_components.interval | The timeframe in seconds within which the threshold must be satisfied. | long | -| darktrace.model_breach_alert.triggered_components.logic.data | It representing the logical relationship between component filters. Each filter is given an alphabetical reference and the contents of this field describe the relationship between those filters. | text | -| darktrace.model_breach_alert.triggered_components.logic.version | The version of the component logic. | keyword | -| darktrace.model_breach_alert.triggered_components.metric.label | The metric which data is returned for in readable format. | keyword | -| darktrace.model_breach_alert.triggered_components.metric.mlid | The “metric logic” id - unique identifier. | long | -| darktrace.model_breach_alert.triggered_components.metric.name | The metric which data is returned for in system format. | keyword | -| darktrace.model_breach_alert.triggered_components.size | The size of the value that was compared in the component. | long | -| darktrace.model_breach_alert.triggered_components.threshold | The threshold value that the size must exceed for the component to breach. | long | -| darktrace.model_breach_alert.triggered_components.time | A timestamp in Epoch time at which the components were triggered. | date | -| darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value | The value the filtertype should be compared against (using the specified comparator) to create the filter. | keyword | -| darktrace.model_breach_alert.triggered_components.triggered_filters.cfid | The ‘component filter id’. A unique identifier for the filter as part of a the component. | long | -| darktrace.model_breach_alert.triggered_components.triggered_filters.comparator_type | The comparator. A full list of comparators available for each filtertype can be found on the /filtertypes endpoint. | keyword | -| darktrace.model_breach_alert.triggered_components.triggered_filters.filter_type | The filtertype that is used in the filter. A full list of filtertypes can be found on the /filtertypes endpoint. | keyword | -| darktrace.model_breach_alert.triggered_components.triggered_filters.id | A filter that is used in the component logic. All filters are given alphabetical identifiers. Display filters - those that appear in the breach notification - can be identified by a lowercase ‘d’ and a numeral. | keyword | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.auto | | boolean | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.color | | long | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.description | | keyword | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.visibility | | keyword | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.expiry | nan | long | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.isReferenced | nan | boolean | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.name | nan | keyword | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.restricted | nan | boolean | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.thid | nan | long | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.tid | nan | long | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.value | The actual value that triggered the filter. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| rule.version | The version / revision of the rule being used for analysis. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | - - -### system_status_alert - -This is the `system_status_alert` dataset. - -#### Example - -An example event for `system_status_alert` looks as following: - -```json -{ - "@timestamp": "2021-04-18T15:44:11.000Z", - "agent": { - "ephemeral_id": "5b042cea-01fa-47a2-ab0f-ac1f7baa6bd2", - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "darktrace": { - "system_status_alert": { - "alert_name": "Advanced Search", - "child_id": 1, - "hostname": "example-vsensor", - "ip_address": "175.16.199.1", - "last_updated": "2021-04-18T15:44:11.000Z", - "last_updated_status": "2021-04-18T15:44:11.000Z", - "message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", - "name": "advanced_search", - "priority": 43, - "priority_level": "medium", - "status": "active", - "uuid": "abcdabcd-1234-1234-1234-3abababcdcd3" - } - }, - "data_stream": { - "dataset": "darktrace.system_status_alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", - "snapshot": false, - "version": "8.2.1" - }, - "event": { - "agent_id_status": "verified", - "dataset": "darktrace.system_status_alert", - "id": "abcdabcd-1234-1234-1234-3abababcdcd3", - "ingested": "2022-09-30T11:41:35Z", - "kind": "alert", - "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", - "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", - "risk_score": 43, - "risk_score_norm": 43, - "type": [ - "info" - ] - }, - "host": { - "hostname": "example-vsensor", - "ip": "175.16.199.1" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.128.5:36197" - }, - "syslog": { - "facility": { - "code": 20, - "name": "local4" - }, - "hostname": "example.cloud.darktrace.com", - "priority": 165, - "severity": { - "code": 5, - "name": "Notice" - }, - "version": "1" - } - }, - "related": { - "hosts": [ - "example-vsensor" - ], - "ip": [ - "175.16.199.1" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "darktrace-system_status_alert" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| darktrace.system_status_alert.acknowledge_timeout | When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases. | keyword | -| darktrace.system_status_alert.alert_name | A human readable name of the alert type. | keyword | -| darktrace.system_status_alert.child_id | For probes (physical or virtual), the unique ID associated with the probe. | long | -| darktrace.system_status_alert.hostname | The hostname (if known) of the host experiencing the system alert. An exception exists for disconnection notices, where the hostname will be of the master from which the instance has disconnected. | keyword | -| darktrace.system_status_alert.ip_address | The IP of the host experiencing the system alert. An exception exists for disconnection notices, where the IP will be of the master from which the instance has disconnected. | keyword | -| darktrace.system_status_alert.last_updated | A timestamp in epoch time that the system alert itself was updated. | date | -| darktrace.system_status_alert.last_updated_status | A timestamp in epoch time that the status of the system alert was last updated globally. A status update is distinct from a update to the alert itself. | date | -| darktrace.system_status_alert.message | A textual description of the system event that has triggered the alert. | keyword | -| darktrace.system_status_alert.name | A system name of the alert type. | keyword | -| darktrace.system_status_alert.priority | The numeric criticality associated with the alert. | double | -| darktrace.system_status_alert.priority_level | The criticality of the alert. This value is calculated from the priority value: 0 - 40 low, 41 - 60 medium, 61 - 80 high, 81 - 100 critical. | keyword | -| darktrace.system_status_alert.status | The current status of the alert. Active alerts are ongoing, acknowledged events are those acknowledged on the System Status page, resolved alerts are system alerts that are no longer ongoing. Alerts will only be sent when alert enters the “active” or “resolved” state. | keyword | -| darktrace.system_status_alert.url.domain | | keyword | -| darktrace.system_status_alert.url.extension | | keyword | -| darktrace.system_status_alert.url.fragment | | keyword | -| darktrace.system_status_alert.url.full | | keyword | -| darktrace.system_status_alert.url.original | | keyword | -| darktrace.system_status_alert.url.password | | keyword | -| darktrace.system_status_alert.url.path | | keyword | -| darktrace.system_status_alert.url.port | | long | -| darktrace.system_status_alert.url.query | | keyword | -| darktrace.system_status_alert.url.scheme | | keyword | -| darktrace.system_status_alert.url.username | | keyword | -| darktrace.system_status_alert.uuid | A consistent UUID that can be used to navigate to the specific alert in the Threat Visualizer (https://[instance]/sysstatus/[uuid]). Where an alert is reactivated after resolution due to the issue reoccurring, the UUId will remain consistent across alerts. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/darktrace/0.1.0/img/darktrace-logo.svg b/packages/darktrace/0.1.0/img/darktrace-logo.svg deleted file mode 100755 index dd926f6292..0000000000 --- a/packages/darktrace/0.1.0/img/darktrace-logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/darktrace/0.1.0/img/darktrace-screenshot.png b/packages/darktrace/0.1.0/img/darktrace-screenshot.png deleted file mode 100755 index c78dc5bd31..0000000000 Binary files a/packages/darktrace/0.1.0/img/darktrace-screenshot.png and /dev/null differ diff --git a/packages/darktrace/0.1.0/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.0/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json deleted file mode 100755 index 3393705a4b..0000000000 --- a/packages/darktrace/0.1.0/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "Darktrace System Status Alerts Overview.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1b85280d-b235-4523-b782-fd77e9046901\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"3702c81f-57cb-4f31-bb86-97827dab7021\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1b85280d-b235-4523-b782-fd77e9046901\":{\"columnOrder\":[\"426426da-2361-40d0-a759-2591bdf082c9\"],\"columns\":{\"426426da-2361-40d0-a759-2591bdf082c9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"3702c81f-57cb-4f31-bb86-97827dab7021\",\"key\":\"darktrace.system_status_alert.status\",\"negate\":false,\"params\":{\"query\":\"active\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.system_status_alert.status\":\"active\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"},\"visualization\":{\"accessor\":\"426426da-2361-40d0-a759-2591bdf082c9\",\"layerId\":\"1b85280d-b235-4523-b782-fd77e9046901\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"5f64c3c5-4d59-4abb-a6ab-234a1ee66151\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5f64c3c5-4d59-4abb-a6ab-234a1ee66151\",\"title\":\"Number of Active Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f27d6430-9a24-4f7b-86b0-43950b6f2393\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f27d6430-9a24-4f7b-86b0-43950b6f2393\":{\"columnOrder\":[\"ecdeb1b2-48c5-4966-bca9-0f228a2916f3\",\"11c181af-dff4-4a0a-ad2e-0846bd66affe\"],\"columns\":{\"11c181af-dff4-4a0a-ad2e-0846bd66affe\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"},\"ecdeb1b2-48c5-4966-bca9-0f228a2916f3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Priority Level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"11c181af-dff4-4a0a-ad2e-0846bd66affe\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.system_status_alert.priority_level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ecdeb1b2-48c5-4966-bca9-0f228a2916f3\"],\"layerId\":\"f27d6430-9a24-4f7b-86b0-43950b6f2393\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"11c181af-dff4-4a0a-ad2e-0846bd66affe\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e7b10ecb-271a-4010-9947-9597225acd58\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"e7b10ecb-271a-4010-9947-9597225acd58\",\"title\":\"Distribution of System Status Alerts by Priority Level [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b1042ac5-75bd-48e1-9c8c-4ab507402159\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b1042ac5-75bd-48e1-9c8c-4ab507402159\":{\"columnOrder\":[\"7deb2674-d025-43e9-b627-7c8e4a3d3ba6\",\"72135a2c-712d-421e-8e29-8a5c82f557be\"],\"columns\":{\"72135a2c-712d-421e-8e29-8a5c82f557be\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"},\"7deb2674-d025-43e9-b627-7c8e4a3d3ba6\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Hostname\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"72135a2c-712d-421e-8e29-8a5c82f557be\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7deb2674-d025-43e9-b627-7c8e4a3d3ba6\",\"isTransposed\":false},{\"columnId\":\"72135a2c-712d-421e-8e29-8a5c82f557be\",\"isTransposed\":false}],\"layerId\":\"b1042ac5-75bd-48e1-9c8c-4ab507402159\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"77e3df19-769a-414a-b96b-dbb37169629d\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"77e3df19-769a-414a-b96b-dbb37169629d\",\"title\":\"Top 10 Hostname with Highest System Status Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-607d2de2-df5d-4503-90e0-4ac42323c46e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"607d2de2-df5d-4503-90e0-4ac42323c46e\":{\"columnOrder\":[\"dafa285e-d83f-4d93-af67-4b6b7a7437f3\",\"4ba339dd-9edb-445a-a121-43092d3b33a5\"],\"columns\":{\"4ba339dd-9edb-445a-a121-43092d3b33a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"},\"dafa285e-d83f-4d93-af67-4b6b7a7437f3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Alert Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ba339dd-9edb-445a-a121-43092d3b33a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.system_status_alert.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"dafa285e-d83f-4d93-af67-4b6b7a7437f3\",\"isTransposed\":false},{\"columnId\":\"4ba339dd-9edb-445a-a121-43092d3b33a5\",\"isTransposed\":false}],\"layerId\":\"607d2de2-df5d-4503-90e0-4ac42323c46e\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7d794103-85bd-4669-b9bc-b9223d2eba5c\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"7d794103-85bd-4669-b9bc-b9223d2eba5c\",\"title\":\"Top 10 Alert Name with Highest System Status Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd\",\"panelRefName\":\"panel_00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd\",\"type\":\"search\",\"version\":\"8.2.1\"}]", - "timeRestore": false, - "title": "[Logs Darktrace] System Status Alerts Overview", - "version": 1 - }, - "coreMigrationVersion": "8.2.1", - "id": "darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8", - "migrationVersion": { - "dashboard": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:indexpattern-datasource-layer-1b85280d-b235-4523-b782-fd77e9046901", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:3702c81f-57cb-4f31-bb86-97827dab7021", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e7b10ecb-271a-4010-9947-9597225acd58:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e7b10ecb-271a-4010-9947-9597225acd58:indexpattern-datasource-layer-f27d6430-9a24-4f7b-86b0-43950b6f2393", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77e3df19-769a-414a-b96b-dbb37169629d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77e3df19-769a-414a-b96b-dbb37169629d:indexpattern-datasource-layer-b1042ac5-75bd-48e1-9c8c-4ab507402159", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7d794103-85bd-4669-b9bc-b9223d2eba5c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7d794103-85bd-4669-b9bc-b9223d2eba5c:indexpattern-datasource-layer-607d2de2-df5d-4503-90e0-4ac42323c46e", - "type": "index-pattern" - }, - { - "id": "darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8", - "name": "00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd:panel_00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.0/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json deleted file mode 100755 index d1d19f372a..0000000000 --- a/packages/darktrace/0.1.0/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "attributes": { - "description": "Darktrace Model Breach Alerts Overview.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-16c69f2e-ffe0-4393-9d91-dece311e3f0f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"16c69f2e-ffe0-4393-9d91-dece311e3f0f\":{\"columnOrder\":[\"099298f5-fc58-4473-860e-84bc44f2e387\"],\"columns\":{\"099298f5-fc58-4473-860e-84bc44f2e387\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"accessor\":\"099298f5-fc58-4473-860e-84bc44f2e387\",\"layerId\":\"16c69f2e-ffe0-4393-9d91-dece311e3f0f\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14e3bf5d-011f-48d2-83a9-fc62d707cdd1\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"14e3bf5d-011f-48d2-83a9-fc62d707cdd1\",\"title\":\"Number of Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8d4cd3ff-fd36-462e-ae82-826554dc847d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"88df79e3-51ce-46c3-b8da-6522f6dc9e40\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8d4cd3ff-fd36-462e-ae82-826554dc847d\":{\"columnOrder\":[\"861dc1ff-427e-4512-bb2c-e28d3f7564b2\"],\"columns\":{\"861dc1ff-427e-4512-bb2c-e28d3f7564b2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"rule.uuid\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"88df79e3-51ce-46c3-b8da-6522f6dc9e40\",\"key\":\"darktrace.model_breach_alert.model.is_active\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.model_breach_alert.model.is_active\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"accessor\":\"861dc1ff-427e-4512-bb2c-e28d3f7564b2\",\"layerId\":\"8d4cd3ff-fd36-462e-ae82-826554dc847d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"07f13cdd-3a86-40e5-914f-8f50c695b6ee\",\"w\":15,\"x\":15,\"y\":0},\"panelIndex\":\"07f13cdd-3a86-40e5-914f-8f50c695b6ee\",\"title\":\"Number of Active Models [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a4c3d027-4533-411a-b9f1-26f0a4fedb66\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a4c3d027-4533-411a-b9f1-26f0a4fedb66\":{\"columnOrder\":[\"1ea9479b-4db9-4215-97d9-1d7a275176ab\",\"36c1f412-cfb7-4ea0-b9c9-a323c72e800d\"],\"columns\":{\"1ea9479b-4db9-4215-97d9-1d7a275176ab\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"36c1f412-cfb7-4ea0-b9c9-a323c72e800d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"rule.category\"},\"36c1f412-cfb7-4ea0-b9c9-a323c72e800d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ea9479b-4db9-4215-97d9-1d7a275176ab\"],\"layerId\":\"a4c3d027-4533-411a-b9f1-26f0a4fedb66\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"36c1f412-cfb7-4ea0-b9c9-a323c72e800d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1fafffde-be8a-4e46-bc58-a52db1e94931\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"1fafffde-be8a-4e46-bc58-a52db1e94931\",\"title\":\"Distribution of Model Breach Alerts by Model Category [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8a0016c8-0623-4e96-a007-240f0bfe88c2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8a0016c8-0623-4e96-a007-240f0bfe88c2\":{\"columnOrder\":[\"55131f02-db30-408f-8795-9cfee8f6758b\",\"b5b19414-8d46-4957-b69a-7a57518551fe\"],\"columns\":{\"55131f02-db30-408f-8795-9cfee8f6758b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Model Priority\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b5b19414-8d46-4957-b69a-7a57518551fe\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.severity\"},\"b5b19414-8d46-4957-b69a-7a57518551fe\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"b5b19414-8d46-4957-b69a-7a57518551fe\"],\"layerId\":\"8a0016c8-0623-4e96-a007-240f0bfe88c2\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"55131f02-db30-408f-8795-9cfee8f6758b\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ddcd6a80-5ab0-4522-b984-022b7da2d4b0\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"ddcd6a80-5ab0-4522-b984-022b7da2d4b0\",\"title\":\"Distribution of Model Breach Alerts by Model Priority [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c\":{\"columnOrder\":[\"c2ee5623-973c-416f-80b0-bae47d66f83b\",\"8630c019-3e7e-4734-b1c2-1a82f39fb7fc\"],\"columns\":{\"8630c019-3e7e-4734-b1c2-1a82f39fb7fc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"},\"c2ee5623-973c-416f-80b0-bae47d66f83b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Model Behaviour\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8630c019-3e7e-4734-b1c2-1a82f39fb7fc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.model_breach_alert.model.behaviour\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c2ee5623-973c-416f-80b0-bae47d66f83b\"],\"layerId\":\"267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"8630c019-3e7e-4734-b1c2-1a82f39fb7fc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"44710442-b7b8-413a-9e52-4d7ba519a296\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"44710442-b7b8-413a-9e52-4d7ba519a296\",\"title\":\"Distribution of Model Breach Alerts by Model Behaviour [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-26e0acea-9274-411a-91a3-8537b1e00aff\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"26e0acea-9274-411a-91a3-8537b1e00aff\":{\"columnOrder\":[\"ac9a1bc1-8890-4297-a82e-6f975d9175aa\",\"b451b0a8-806d-4d37-85c6-85c98330a533\"],\"columns\":{\"ac9a1bc1-8890-4297-a82e-6f975d9175aa\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Model Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b451b0a8-806d-4d37-85c6-85c98330a533\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"b451b0a8-806d-4d37-85c6-85c98330a533\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Model Breach Score\",\"operationType\":\"max\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.risk_score\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"ac9a1bc1-8890-4297-a82e-6f975d9175aa\",\"isTransposed\":false,\"summaryRow\":\"none\"},{\"columnId\":\"b451b0a8-806d-4d37-85c6-85c98330a533\",\"isTransposed\":false}],\"layerId\":\"26e0acea-9274-411a-91a3-8537b1e00aff\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"747c1919-e215-4b97-9d8b-8ee528c1deaa\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"747c1919-e215-4b97-9d8b-8ee528c1deaa\",\"title\":\"Top 10 Model Breach Alerts by Highest Model Breach Score [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-adde69bc-fda5-4560-8a54-202ca975652f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"adde69bc-fda5-4560-8a54-202ca975652f\":{\"columnOrder\":[\"c78a709f-ef66-4dbc-a1f2-070cb2116e4d\",\"ead17241-a253-4c78-917d-8ff1249061df\"],\"columns\":{\"c78a709f-ef66-4dbc-a1f2-070cb2116e4d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Model Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ead17241-a253-4c78-917d-8ff1249061df\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"ead17241-a253-4c78-917d-8ff1249061df\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"c78a709f-ef66-4dbc-a1f2-070cb2116e4d\",\"isTransposed\":false,\"width\":574},{\"columnId\":\"ead17241-a253-4c78-917d-8ff1249061df\",\"isTransposed\":false}],\"layerId\":\"adde69bc-fda5-4560-8a54-202ca975652f\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"aca1678c-d3d8-478e-a09c-dfdd86a5b3f7\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"aca1678c-d3d8-478e-a09c-dfdd86a5b3f7\",\"title\":\"Top 10 Model Name with Highest Model Breach [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0c7a50df-8359-42ff-806d-a22eb35b597a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0c7a50df-8359-42ff-806d-a22eb35b597a\":{\"columnOrder\":[\"729d6a4f-b1ba-47be-817a-2f2bf8b6f39c\",\"a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515\"],\"columns\":{\"729d6a4f-b1ba-47be-817a-2f2bf8b6f39c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Device Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.type\"},\"a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"729d6a4f-b1ba-47be-817a-2f2bf8b6f39c\",\"isTransposed\":false},{\"columnId\":\"a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515\",\"isTransposed\":false}],\"layerId\":\"0c7a50df-8359-42ff-806d-a22eb35b597a\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"19b3fa09-6280-430a-9046-a613dfde3696\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"19b3fa09-6280-430a-9046-a613dfde3696\",\"title\":\"Top 10 Device Type with Highest Model Breach [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7bd679f9-8a5b-4906-beaa-750102e3a26f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7bd679f9-8a5b-4906-beaa-750102e3a26f\":{\"columnOrder\":[\"13359fdf-964f-441c-8d49-dcacd44d74a9\",\"d0c28963-3b20-44ed-bd81-668ccef65e64\"],\"columns\":{\"13359fdf-964f-441c-8d49-dcacd44d74a9\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Vendor\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d0c28963-3b20-44ed-bd81-668ccef65e64\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.model_breach_alert.device.vendor\"},\"d0c28963-3b20-44ed-bd81-668ccef65e64\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"13359fdf-964f-441c-8d49-dcacd44d74a9\"],\"layerId\":\"7bd679f9-8a5b-4906-beaa-750102e3a26f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d0c28963-3b20-44ed-bd81-668ccef65e64\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"185e6cd3-4cf8-45fd-937e-77abd9e6aad7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"185e6cd3-4cf8-45fd-937e-77abd9e6aad7\",\"title\":\"Distribution of Model Breach Alerts by Targeted Vendor [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8ea502e-ae28-47dd-9b90-484d50083243\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8ea502e-ae28-47dd-9b90-484d50083243\":{\"columnOrder\":[\"0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1\",\"dbd63d7d-3048-4f3e-a068-d891e14f517b\"],\"columns\":{\"0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Device Host ID\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dbd63d7d-3048-4f3e-a068-d891e14f517b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.id\"},\"dbd63d7d-3048-4f3e-a068-d891e14f517b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1\",\"isTransposed\":false},{\"columnId\":\"dbd63d7d-3048-4f3e-a068-d891e14f517b\",\"isTransposed\":false}],\"layerId\":\"c8ea502e-ae28-47dd-9b90-484d50083243\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7c6faaf4-5d0c-49a1-b1d2-605f18e675b0\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"7c6faaf4-5d0c-49a1-b1d2-605f18e675b0\",\"title\":\"Top 10 Device Host ID with Highest Model Breach [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88c07c59-c625-4652-8156-54991d0869d8\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88c07c59-c625-4652-8156-54991d0869d8\":{\"columnOrder\":[\"3fdb34e6-9e66-42b8-8705-ce15282352a8\",\"0f644c53-93f7-450a-ab4a-2d08a26251a7\"],\"columns\":{\"0f644c53-93f7-450a-ab4a-2d08a26251a7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"},\"3fdb34e6-9e66-42b8-8705-ce15282352a8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Antigena Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0f644c53-93f7-450a-ab4a-2d08a26251a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"0f644c53-93f7-450a-ab4a-2d08a26251a7\"],\"layerId\":\"88c07c59-c625-4652-8156-54991d0869d8\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"3fdb34e6-9e66-42b8-8705-ce15282352a8\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"889bb859-0938-46a4-b078-30f5fedd10a7\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"889bb859-0938-46a4-b078-30f5fedd10a7\",\"title\":\"Distribution of Model Breach Alerts by Antigena Action [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-68e57e92-bad9-44bd-8022-16b46d218096\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"68e57e92-bad9-44bd-8022-16b46d218096\":{\"columnOrder\":[\"e320a021-5c16-4d5f-889a-f88e29cc8fd2\",\"e9f48d2b-6578-4b41-afdb-3070764712b2\"],\"columns\":{\"e320a021-5c16-4d5f-889a-f88e29cc8fd2\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"ignoreTimeRange\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"e9f48d2b-6578-4b41-afdb-3070764712b2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of Model Throttle\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.model.throttle\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"e9f48d2b-6578-4b41-afdb-3070764712b2\"],\"layerId\":\"68e57e92-bad9-44bd-8022-16b46d218096\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"e320a021-5c16-4d5f-889a-f88e29cc8fd2\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"e9f48d2b-6578-4b41-afdb-3070764712b2\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"c6560c58-be58-4718-abed-0356a2ba3b09\",\"w\":48,\"x\":0,\"y\":75},\"panelIndex\":\"c6560c58-be58-4718-abed-0356a2ba3b09\",\"title\":\"Model Throttle Over Time [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Tag Cloud\",\"emptyAsNull\":false,\"field\":\"darktrace.model_breach_alert.pbid\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Mitre Techniques\",\"field\":\"threat.technique.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":23,\"i\":\"12736f17-d97c-4f4c-a66b-5eba7c2fec9c\",\"w\":48,\"x\":0,\"y\":94},\"panelIndex\":\"12736f17-d97c-4f4c-a66b-5eba7c2fec9c\",\"title\":\"Top Mitre Techniques [Logs Darktrace]\",\"type\":\"visualization\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"e9b4f5f5-d478-403d-a78e-9e39ad3486f0\",\"w\":48,\"x\":0,\"y\":117},\"panelIndex\":\"e9b4f5f5-d478-403d-a78e-9e39ad3486f0\",\"panelRefName\":\"panel_e9b4f5f5-d478-403d-a78e-9e39ad3486f0\",\"type\":\"search\",\"version\":\"8.2.1\"}]", - "timeRestore": false, - "title": "[Logs Darktrace] Model Breach Alerts Overview", - "version": 1 - }, - "coreMigrationVersion": "8.2.1", - "id": "darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8", - "migrationVersion": { - "dashboard": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "14e3bf5d-011f-48d2-83a9-fc62d707cdd1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14e3bf5d-011f-48d2-83a9-fc62d707cdd1:indexpattern-datasource-layer-16c69f2e-ffe0-4393-9d91-dece311e3f0f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:indexpattern-datasource-layer-8d4cd3ff-fd36-462e-ae82-826554dc847d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:88df79e3-51ce-46c3-b8da-6522f6dc9e40", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1fafffde-be8a-4e46-bc58-a52db1e94931:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1fafffde-be8a-4e46-bc58-a52db1e94931:indexpattern-datasource-layer-a4c3d027-4533-411a-b9f1-26f0a4fedb66", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ddcd6a80-5ab0-4522-b984-022b7da2d4b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ddcd6a80-5ab0-4522-b984-022b7da2d4b0:indexpattern-datasource-layer-8a0016c8-0623-4e96-a007-240f0bfe88c2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44710442-b7b8-413a-9e52-4d7ba519a296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44710442-b7b8-413a-9e52-4d7ba519a296:indexpattern-datasource-layer-267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "747c1919-e215-4b97-9d8b-8ee528c1deaa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "747c1919-e215-4b97-9d8b-8ee528c1deaa:indexpattern-datasource-layer-26e0acea-9274-411a-91a3-8537b1e00aff", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aca1678c-d3d8-478e-a09c-dfdd86a5b3f7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aca1678c-d3d8-478e-a09c-dfdd86a5b3f7:indexpattern-datasource-layer-adde69bc-fda5-4560-8a54-202ca975652f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "19b3fa09-6280-430a-9046-a613dfde3696:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "19b3fa09-6280-430a-9046-a613dfde3696:indexpattern-datasource-layer-0c7a50df-8359-42ff-806d-a22eb35b597a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "185e6cd3-4cf8-45fd-937e-77abd9e6aad7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "185e6cd3-4cf8-45fd-937e-77abd9e6aad7:indexpattern-datasource-layer-7bd679f9-8a5b-4906-beaa-750102e3a26f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7c6faaf4-5d0c-49a1-b1d2-605f18e675b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7c6faaf4-5d0c-49a1-b1d2-605f18e675b0:indexpattern-datasource-layer-c8ea502e-ae28-47dd-9b90-484d50083243", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "889bb859-0938-46a4-b078-30f5fedd10a7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "889bb859-0938-46a4-b078-30f5fedd10a7:indexpattern-datasource-layer-88c07c59-c625-4652-8156-54991d0869d8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c6560c58-be58-4718-abed-0356a2ba3b09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c6560c58-be58-4718-abed-0356a2ba3b09:indexpattern-datasource-layer-68e57e92-bad9-44bd-8022-16b46d218096", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "12736f17-d97c-4f4c-a66b-5eba7c2fec9c:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8", - "name": "e9b4f5f5-d478-403d-a78e-9e39ad3486f0:panel_e9b4f5f5-d478-403d-a78e-9e39ad3486f0", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.0/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json deleted file mode 100755 index c19715efa8..0000000000 --- a/packages/darktrace/0.1.0/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "description": "Darktrace AI Analyst Alerts Overview.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"6f5adda0-d13e-48e5-aead-37e6448b922a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f84b818-192c-4dca-b929-1884e060576b\":{\"columnOrder\":[\"367e5418-6e25-45f2-b5fc-6ddd3618b869\"],\"columns\":{\"367e5418-6e25-45f2-b5fc-6ddd3618b869\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"6f5adda0-d13e-48e5-aead-37e6448b922a\",\"key\":\"darktrace.ai_analyst_alert.is_user_triggered\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.ai_analyst_alert.is_user_triggered\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"accessor\":\"367e5418-6e25-45f2-b5fc-6ddd3618b869\",\"layerId\":\"1f84b818-192c-4dca-b929-1884e060576b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e28c7c69-2ae8-46fd-b361-38be020491a8\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"e28c7c69-2ae8-46fd-b361-38be020491a8\",\"title\":\"Count of User Triggered AI Analyst Investigation [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"68dafc9f-9ed2-4ef9-8587-14dba4241364\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f84b818-192c-4dca-b929-1884e060576b\":{\"columnOrder\":[\"367e5418-6e25-45f2-b5fc-6ddd3618b869\"],\"columns\":{\"367e5418-6e25-45f2-b5fc-6ddd3618b869\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"68dafc9f-9ed2-4ef9-8587-14dba4241364\",\"key\":\"darktrace.ai_analyst_alert.is_external_triggered\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.ai_analyst_alert.is_external_triggered\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"accessor\":\"367e5418-6e25-45f2-b5fc-6ddd3618b869\",\"layerId\":\"1f84b818-192c-4dca-b929-1884e060576b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"be1b9c5a-2ea0-48ac-8ad6-221769ff83f9\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"be1b9c5a-2ea0-48ac-8ad6-221769ff83f9\",\"title\":\"Count of Externally Triggered AI Analyst Investigation [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"fb69f35b-439b-47fc-b942-15dc9d439f8b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f84b818-192c-4dca-b929-1884e060576b\":{\"columnOrder\":[\"367e5418-6e25-45f2-b5fc-6ddd3618b869\"],\"columns\":{\"367e5418-6e25-45f2-b5fc-6ddd3618b869\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"fb69f35b-439b-47fc-b942-15dc9d439f8b\",\"key\":\"darktrace.ai_analyst_alert.is_acknowledged\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.ai_analyst_alert.is_acknowledged\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"accessor\":\"367e5418-6e25-45f2-b5fc-6ddd3618b869\",\"layerId\":\"1f84b818-192c-4dca-b929-1884e060576b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"034d5870-b571-4276-9fad-1495a3665eed\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"034d5870-b571-4276-9fad-1495a3665eed\",\"title\":\"Count of Acknowledged AI Analyst Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-66afac91-ca1e-4a4a-ab0d-e18a2903ace7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"66afac91-ca1e-4a4a-ab0d-e18a2903ace7\":{\"columnOrder\":[\"6e2b5d5b-0584-412f-a87f-b60279d2173d\",\"8f546d14-cc1d-4d80-8cec-8e326bfd19d1\"],\"columns\":{\"6e2b5d5b-0584-412f-a87f-b60279d2173d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Behavior Category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8f546d14-cc1d-4d80-8cec-8e326bfd19d1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.ai_analyst_alert.category\"},\"8f546d14-cc1d-4d80-8cec-8e326bfd19d1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"6e2b5d5b-0584-412f-a87f-b60279d2173d\"],\"layerId\":\"66afac91-ca1e-4a4a-ab0d-e18a2903ace7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"8f546d14-cc1d-4d80-8cec-8e326bfd19d1\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"65f35405-87eb-4a98-a0c2-2e3c7426cb28\",\"w\":24,\"x\":0,\"y\":13},\"panelIndex\":\"65f35405-87eb-4a98-a0c2-2e3c7426cb28\",\"title\":\"Distribution of AI Analyst Alerts by Behavior Category [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-effe003f-604a-49a3-a903-d4d2c75df944\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"effe003f-604a-49a3-a903-d4d2c75df944\":{\"columnOrder\":[\"937bae71-7159-4e35-87cf-dc372875ad59\",\"049804ee-f3a4-474f-8e76-d4c3e0eb77af\"],\"columns\":{\"049804ee-f3a4-474f-8e76-d4c3e0eb77af\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"},\"937bae71-7159-4e35-87cf-dc372875ad59\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Summariser\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"049804ee-f3a4-474f-8e76-d4c3e0eb77af\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.ai_analyst_alert.summariser\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"049804ee-f3a4-474f-8e76-d4c3e0eb77af\"],\"layerId\":\"effe003f-604a-49a3-a903-d4d2c75df944\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"937bae71-7159-4e35-87cf-dc372875ad59\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8882d78e-7df8-4d33-b7b5-e21f5d25dfe7\",\"w\":24,\"x\":24,\"y\":13},\"panelIndex\":\"8882d78e-7df8-4d33-b7b5-e21f5d25dfe7\",\"title\":\"Distribution of AI Analyst Alerts by Summariser [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dea45bd8-269e-48c4-98d3-fc47717ae139\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dea45bd8-269e-48c4-98d3-fc47717ae139\":{\"columnOrder\":[\"71a3581e-24ae-48d8-958d-c574488b2f48\",\"e6083dcb-9465-4007-a133-569f31fe732d\"],\"columns\":{\"71a3581e-24ae-48d8-958d-c574488b2f48\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Alert Title\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e6083dcb-9465-4007-a133-569f31fe732d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.reason\"},\"e6083dcb-9465-4007-a133-569f31fe732d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Risk Score\",\"operationType\":\"max\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.risk_score\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"71a3581e-24ae-48d8-958d-c574488b2f48\",\"isTransposed\":false},{\"columnId\":\"e6083dcb-9465-4007-a133-569f31fe732d\",\"isTransposed\":false}],\"layerId\":\"dea45bd8-269e-48c4-98d3-fc47717ae139\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6b003410-fd00-4dc5-b9c7-8bd1f711ffbe\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6b003410-fd00-4dc5-b9c7-8bd1f711ffbe\",\"title\":\"Top 10 AI Analyst Alerts with Highest Score [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3bb3b1dd-30aa-46d6-8a14-32c14c706f47\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3bb3b1dd-30aa-46d6-8a14-32c14c706f47\":{\"columnOrder\":[\"266f7f3a-5f46-40c5-a716-b2aab1d49d51\",\"36e2011c-141b-412b-a5fd-e5e9c62183ad\"],\"columns\":{\"266f7f3a-5f46-40c5-a716-b2aab1d49d51\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Hostname\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"36e2011c-141b-412b-a5fd-e5e9c62183ad\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"},\"36e2011c-141b-412b-a5fd-e5e9c62183ad\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"266f7f3a-5f46-40c5-a716-b2aab1d49d51\",\"isTransposed\":false},{\"columnId\":\"36e2011c-141b-412b-a5fd-e5e9c62183ad\",\"isTransposed\":false}],\"layerId\":\"3bb3b1dd-30aa-46d6-8a14-32c14c706f47\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"930d2983-f872-4001-ba45-b44aee791167\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"930d2983-f872-4001-ba45-b44aee791167\",\"title\":\"Top 10 BreachDevices Hostname with Highest AI Analyst Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9eda772e-1fbd-4296-a543-8bbd18b2359a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9eda772e-1fbd-4296-a543-8bbd18b2359a\":{\"columnOrder\":[\"45d996c5-b696-4fff-8f83-78473cc7798f\",\"252b0567-f0b1-4677-b6d8-e9d7a229431a\"],\"columns\":{\"252b0567-f0b1-4677-b6d8-e9d7a229431a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Group Score\",\"operationType\":\"max\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.ai_analyst_alert.group_score\"},\"45d996c5-b696-4fff-8f83-78473cc7798f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Alert Title\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"252b0567-f0b1-4677-b6d8-e9d7a229431a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.reason\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"252b0567-f0b1-4677-b6d8-e9d7a229431a\",\"isTransposed\":false},{\"columnId\":\"45d996c5-b696-4fff-8f83-78473cc7798f\",\"isTransposed\":false,\"width\":551}],\"layerId\":\"9eda772e-1fbd-4296-a543-8bbd18b2359a\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"7e4d0098-0cc8-403d-aaca-92758d697950\",\"w\":48,\"x\":0,\"y\":43},\"panelIndex\":\"7e4d0098-0cc8-403d-aaca-92758d697950\",\"title\":\"Top 10 AI Analyst Alerts with Highest Group Score [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"4ce4eb50-af35-423a-b20f-61a715aa4388\",\"w\":48,\"x\":0,\"y\":61},\"panelIndex\":\"4ce4eb50-af35-423a-b20f-61a715aa4388\",\"panelRefName\":\"panel_4ce4eb50-af35-423a-b20f-61a715aa4388\",\"type\":\"search\",\"version\":\"8.2.1\"}]", - "timeRestore": false, - "title": "[Logs Darktrace] AI Analyst Alerts Overview", - "version": 1 - }, - "coreMigrationVersion": "8.2.1", - "id": "darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8", - "migrationVersion": { - "dashboard": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:6f5adda0-d13e-48e5-aead-37e6448b922a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:68dafc9f-9ed2-4ef9-8587-14dba4241364", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "034d5870-b571-4276-9fad-1495a3665eed:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "034d5870-b571-4276-9fad-1495a3665eed:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "034d5870-b571-4276-9fad-1495a3665eed:fb69f35b-439b-47fc-b942-15dc9d439f8b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "65f35405-87eb-4a98-a0c2-2e3c7426cb28:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "65f35405-87eb-4a98-a0c2-2e3c7426cb28:indexpattern-datasource-layer-66afac91-ca1e-4a4a-ab0d-e18a2903ace7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8882d78e-7df8-4d33-b7b5-e21f5d25dfe7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8882d78e-7df8-4d33-b7b5-e21f5d25dfe7:indexpattern-datasource-layer-effe003f-604a-49a3-a903-d4d2c75df944", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b003410-fd00-4dc5-b9c7-8bd1f711ffbe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b003410-fd00-4dc5-b9c7-8bd1f711ffbe:indexpattern-datasource-layer-dea45bd8-269e-48c4-98d3-fc47717ae139", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "930d2983-f872-4001-ba45-b44aee791167:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "930d2983-f872-4001-ba45-b44aee791167:indexpattern-datasource-layer-3bb3b1dd-30aa-46d6-8a14-32c14c706f47", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7e4d0098-0cc8-403d-aaca-92758d697950:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7e4d0098-0cc8-403d-aaca-92758d697950:indexpattern-datasource-layer-9eda772e-1fbd-4296-a543-8bbd18b2359a", - "type": "index-pattern" - }, - { - "id": "darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8", - "name": "4ce4eb50-af35-423a-b20f-61a715aa4388:panel_4ce4eb50-af35-423a-b20f-61a715aa4388", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.0/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json deleted file mode 100755 index 7410d2d10f..0000000000 --- a/packages/darktrace/0.1.0/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "darktrace.model_breach_alert.pbid", - "rule.category", - "rule.name", - "event.risk_score", - "host.id" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Model Breach Alerts Essential Details [Logs Darktrace]" - }, - "coreMigrationVersion": "8.2.1", - "id": "darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.0/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json deleted file mode 100755 index f50fca24dc..0000000000 --- a/packages/darktrace/0.1.0/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "event.reason", - "darktrace.ai_analyst_alert.related_breaches.pbid", - "darktrace.ai_analyst_alert.attack_phases", - "event.risk_score" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "AI Analyst Alerts Essential Details [Logs Darktrace]" - }, - "coreMigrationVersion": "8.2.1", - "id": "darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.0/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json deleted file mode 100755 index d4a24be88d..0000000000 --- a/packages/darktrace/0.1.0/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "darktrace.system_status_alert.last_updated_status", - "host.ip", - "darktrace.system_status_alert.alert_name", - "event.risk_score", - "darktrace.system_status_alert.status" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "System Status Alerts Essential Details [Logs Darktrace]" - }, - "coreMigrationVersion": "8.2.1", - "id": "darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/darktrace/0.1.0/manifest.yml b/packages/darktrace/0.1.0/manifest.yml deleted file mode 100755 index c3b0197f6b..0000000000 --- a/packages/darktrace/0.1.0/manifest.yml +++ /dev/null @@ -1,136 +0,0 @@ -format_version: 1.0.0 -name: darktrace -title: Darktrace -version: 0.1.0 -license: basic -description: Collect logs from Darktrace with Elastic Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^8.2.1 -screenshots: - - src: /img/darktrace-screenshot.png - title: Darktrace Model Breach Alert Dashboard Screenshot - size: 600x600 - type: image/png -icons: - - src: /img/darktrace-logo.svg - title: Darktrace Logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: darktrace - title: Darktrace logs - description: Collect logs from Darktrace. - inputs: - - type: httpjson - title: Collect Darktrace logs via API - description: Collecting Darktrace logs via API. - vars: - - name: url - type: text - title: URL - description: Darktrace console URL. - required: true - - name: public_token - type: password - title: Public API Token - description: Public API Token. - required: true - - name: private_token - type: password - title: Private API Token - description: Private API Token. - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: tcp - title: Collect Darktrace logs via TCP - description: Collecting Darktrace logs via TCP. - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: udp - title: Collect Darktrace logs via UDP - description: Collecting Darktrace logs via UDP. - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.10-beta.1/LICENSE.txt b/packages/gcp/2.11.10-beta.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.10-beta.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.10-beta.1/changelog.yml b/packages/gcp/2.11.10-beta.1/changelog.yml deleted file mode 100755 index 4ece141a64..0000000000 --- a/packages/gcp/2.11.10-beta.1/changelog.yml +++ /dev/null @@ -1,302 +0,0 @@ -# newer versions go on top -- version: "2.11.10-beta.1" - changes: - - description: Add GCP Compute ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4343 -- version: "2.11.9" - changes: - - description: Fix GKE kubernetes.io indentation. - type: bugfix - link: https://github.com/elastic/integrations/pull/4355 -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.1/data_stream/audit/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/billing/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.10-beta.1/data_stream/billing/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.1/data_stream/compute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 941808c0d2..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -description: Pipeline for parsing GCP Compute metrics. -processors: - - rename: - field: gcp.metrics.firewall.dropped.bytes - target_field: gcp.compute.firewall.dropped.bytes - ignore_missing: true - - rename: - field: gcp.metrics.firewall.dropped_packets_count.value - target_field: gcp.compute.firewall.dropped_packets_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.reserved_cores.value - target_field: gcp.compute.instance.cpu.reserved_cores.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage_time.sec - target_field: gcp.compute.instance.cpu.usage_time.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage.pct - target_field: gcp.compute.instance.cpu.usage.pct - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read.bytes - target_field: gcp.compute.instance.disk.read.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read_ops_count.value - target_field: gcp.compute.instance.disk.read_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write.bytes - target_field: gcp.compute.instance.disk.write.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write_ops_count.value - target_field: gcp.compute.instance.disk.write_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_size.value - target_field: gcp.compute.instance.memory.balloon.ram_size.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_used.value - target_field: gcp.compute.instance.memory.balloon.ram_used.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_in.bytes - target_field: gcp.compute.instance.memory.balloon.swap_in.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_out.bytes - target_field: gcp.compute.instance.memory.balloon.swap_out.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.bytes - target_field: gcp.compute.instance.network.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.packets.count - target_field: gcp.compute.instance.network.ingress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.bytes - target_field: gcp.compute.instance.network.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.packets.count - target_field: gcp.compute.instance.network.egress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime.sec - target_field: gcp.compute.instance.uptime.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime_total.sec - target_field: gcp.compute.instance.uptime_total.sec - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.1/data_stream/compute/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dns/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.1/data_stream/dns/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firestore/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firestore/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.1/data_stream/firewall/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 0046ac8843..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/gke/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.1/data_stream/gke/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.1/data_stream/storage/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.1/data_stream/storage/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.10-beta.1/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/docs/README.md b/packages/gcp/2.11.10-beta.1/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/docs/audit.md b/packages/gcp/2.11.10-beta.1/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/docs/billing.md b/packages/gcp/2.11.10-beta.1/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.1/docs/compute.md b/packages/gcp/2.11.10-beta.1/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.1/docs/dataproc.md b/packages/gcp/2.11.10-beta.1/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.1/docs/dns.md b/packages/gcp/2.11.10-beta.1/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/docs/firestore.md b/packages/gcp/2.11.10-beta.1/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.1/docs/firewall.md b/packages/gcp/2.11.10-beta.1/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/docs/gke.md b/packages/gcp/2.11.10-beta.1/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.1/docs/loadbalancing.md b/packages/gcp/2.11.10-beta.1/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.1/docs/pubsub.md b/packages/gcp/2.11.10-beta.1/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.1/docs/storage.md b/packages/gcp/2.11.10-beta.1/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.1/docs/vpcflow.md b/packages/gcp/2.11.10-beta.1/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.10-beta.1/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/img/filebeat-gcp-audit.png b/packages/gcp/2.11.10-beta.1/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.10-beta.1/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.1/img/gcp-billing.png b/packages/gcp/2.11.10-beta.1/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.10-beta.1/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.1/img/gcp-compute.png b/packages/gcp/2.11.10-beta.1/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.10-beta.1/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.1/img/logo_gcp.svg b/packages/gcp/2.11.10-beta.1/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.10-beta.1/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.10-beta.1/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.10-beta.1/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.10-beta.1/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.1/manifest.yml b/packages/gcp/2.11.10-beta.1/manifest.yml deleted file mode 100755 index 7fc5f0fd65..0000000000 --- a/packages/gcp/2.11.10-beta.1/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.10-beta.1" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.10-beta.2/LICENSE.txt b/packages/gcp/2.11.10-beta.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.10-beta.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.10-beta.2/changelog.yml b/packages/gcp/2.11.10-beta.2/changelog.yml deleted file mode 100755 index 5a272983bb..0000000000 --- a/packages/gcp/2.11.10-beta.2/changelog.yml +++ /dev/null @@ -1,307 +0,0 @@ -# newer versions go on top -- version: "2.11.10-beta.2" - changes: - - description: Add GCP Firestore ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4347 -- version: "2.11.10-beta.1" - changes: - - description: Add GCP Compute ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4343 -- version: "2.11.9" - changes: - - description: Fix GKE kubernetes.io indentation. - type: bugfix - link: https://github.com/elastic/integrations/pull/4355 -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.2/data_stream/audit/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/billing/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.10-beta.2/data_stream/billing/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.2/data_stream/compute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 941808c0d2..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -description: Pipeline for parsing GCP Compute metrics. -processors: - - rename: - field: gcp.metrics.firewall.dropped.bytes - target_field: gcp.compute.firewall.dropped.bytes - ignore_missing: true - - rename: - field: gcp.metrics.firewall.dropped_packets_count.value - target_field: gcp.compute.firewall.dropped_packets_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.reserved_cores.value - target_field: gcp.compute.instance.cpu.reserved_cores.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage_time.sec - target_field: gcp.compute.instance.cpu.usage_time.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage.pct - target_field: gcp.compute.instance.cpu.usage.pct - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read.bytes - target_field: gcp.compute.instance.disk.read.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read_ops_count.value - target_field: gcp.compute.instance.disk.read_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write.bytes - target_field: gcp.compute.instance.disk.write.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write_ops_count.value - target_field: gcp.compute.instance.disk.write_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_size.value - target_field: gcp.compute.instance.memory.balloon.ram_size.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_used.value - target_field: gcp.compute.instance.memory.balloon.ram_used.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_in.bytes - target_field: gcp.compute.instance.memory.balloon.swap_in.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_out.bytes - target_field: gcp.compute.instance.memory.balloon.swap_out.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.bytes - target_field: gcp.compute.instance.network.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.packets.count - target_field: gcp.compute.instance.network.ingress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.bytes - target_field: gcp.compute.instance.network.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.packets.count - target_field: gcp.compute.instance.network.egress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime.sec - target_field: gcp.compute.instance.uptime.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime_total.sec - target_field: gcp.compute.instance.uptime_total.sec - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.2/data_stream/compute/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dns/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.2/data_stream/dns/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.2/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8556ebb766..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -description: Pipeline for parsing GCP Firestore metrics. -processors: - - rename: - field: gcp.metrics.document.delete.count - target_field: gcp.firestore.document.delete.count - ignore_missing: true - - rename: - field: gcp.metrics.document.read.count - target_field: gcp.firestore.document.read.count - ignore_missing: true - - rename: - field: gcp.metrics.document.write.count - target_field: gcp.firestore.document.write.count - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firestore/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.2/data_stream/firewall/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 0046ac8843..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/gke/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.2/data_stream/gke/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.2/data_stream/storage/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.2/data_stream/storage/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.10-beta.2/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/docs/README.md b/packages/gcp/2.11.10-beta.2/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/docs/audit.md b/packages/gcp/2.11.10-beta.2/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/docs/billing.md b/packages/gcp/2.11.10-beta.2/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.2/docs/compute.md b/packages/gcp/2.11.10-beta.2/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.2/docs/dataproc.md b/packages/gcp/2.11.10-beta.2/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.2/docs/dns.md b/packages/gcp/2.11.10-beta.2/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/docs/firestore.md b/packages/gcp/2.11.10-beta.2/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.2/docs/firewall.md b/packages/gcp/2.11.10-beta.2/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/docs/gke.md b/packages/gcp/2.11.10-beta.2/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.2/docs/loadbalancing.md b/packages/gcp/2.11.10-beta.2/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.2/docs/pubsub.md b/packages/gcp/2.11.10-beta.2/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.2/docs/storage.md b/packages/gcp/2.11.10-beta.2/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.2/docs/vpcflow.md b/packages/gcp/2.11.10-beta.2/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.10-beta.2/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/img/filebeat-gcp-audit.png b/packages/gcp/2.11.10-beta.2/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.10-beta.2/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.2/img/gcp-billing.png b/packages/gcp/2.11.10-beta.2/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.10-beta.2/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.2/img/gcp-compute.png b/packages/gcp/2.11.10-beta.2/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.10-beta.2/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.2/img/logo_gcp.svg b/packages/gcp/2.11.10-beta.2/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.10-beta.2/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.10-beta.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.10-beta.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.10-beta.2/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.2/manifest.yml b/packages/gcp/2.11.10-beta.2/manifest.yml deleted file mode 100755 index 7eeda3507e..0000000000 --- a/packages/gcp/2.11.10-beta.2/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.10-beta.2" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.10-beta.3/LICENSE.txt b/packages/gcp/2.11.10-beta.3/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.10-beta.3/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.10-beta.3/changelog.yml b/packages/gcp/2.11.10-beta.3/changelog.yml deleted file mode 100755 index 73ac283369..0000000000 --- a/packages/gcp/2.11.10-beta.3/changelog.yml +++ /dev/null @@ -1,312 +0,0 @@ -# newer versions go on top -- version: "2.11.10-beta.3" - changes: - - description: Add GCP Storage ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4348 -- version: "2.11.10-beta.2" - changes: - - description: Add GCP Firestore ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4347 -- version: "2.11.10-beta.1" - changes: - - description: Add GCP Compute ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4343 -- version: "2.11.9" - changes: - - description: Fix GKE kubernetes.io indentation. - type: bugfix - link: https://github.com/elastic/integrations/pull/4355 -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.3/data_stream/audit/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/billing/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.10-beta.3/data_stream/billing/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.3/data_stream/compute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 941808c0d2..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -description: Pipeline for parsing GCP Compute metrics. -processors: - - rename: - field: gcp.metrics.firewall.dropped.bytes - target_field: gcp.compute.firewall.dropped.bytes - ignore_missing: true - - rename: - field: gcp.metrics.firewall.dropped_packets_count.value - target_field: gcp.compute.firewall.dropped_packets_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.reserved_cores.value - target_field: gcp.compute.instance.cpu.reserved_cores.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage_time.sec - target_field: gcp.compute.instance.cpu.usage_time.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage.pct - target_field: gcp.compute.instance.cpu.usage.pct - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read.bytes - target_field: gcp.compute.instance.disk.read.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read_ops_count.value - target_field: gcp.compute.instance.disk.read_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write.bytes - target_field: gcp.compute.instance.disk.write.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write_ops_count.value - target_field: gcp.compute.instance.disk.write_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_size.value - target_field: gcp.compute.instance.memory.balloon.ram_size.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_used.value - target_field: gcp.compute.instance.memory.balloon.ram_used.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_in.bytes - target_field: gcp.compute.instance.memory.balloon.swap_in.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_out.bytes - target_field: gcp.compute.instance.memory.balloon.swap_out.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.bytes - target_field: gcp.compute.instance.network.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.packets.count - target_field: gcp.compute.instance.network.ingress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.bytes - target_field: gcp.compute.instance.network.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.packets.count - target_field: gcp.compute.instance.network.egress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime.sec - target_field: gcp.compute.instance.uptime.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime_total.sec - target_field: gcp.compute.instance.uptime_total.sec - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.3/data_stream/compute/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dns/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.3/data_stream/dns/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.3/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8556ebb766..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -description: Pipeline for parsing GCP Firestore metrics. -processors: - - rename: - field: gcp.metrics.document.delete.count - target_field: gcp.firestore.document.delete.count - ignore_missing: true - - rename: - field: gcp.metrics.document.read.count - target_field: gcp.firestore.document.read.count - ignore_missing: true - - rename: - field: gcp.metrics.document.write.count - target_field: gcp.firestore.document.write.count - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firestore/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.3/data_stream/firewall/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 0046ac8843..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/gke/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.3/data_stream/gke/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.3/data_stream/storage/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 011741d2b4..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -description: Pipeline for parsing GCP Storage metrics. -processors: - - rename: - field: gcp.metrics.api.request.count - target_field: gcp.storage.api.request.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_based_object_access.count - target_field: gcp.storage.authz.acl_based_object_access.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_operations.count - target_field: gcp.storage.authz.acl_operations.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.object_specific_acl_mutation.count - target_field: gcp.storage.authz.object_specific_acl_mutation.count - ignore_missing: true - - rename: - field: gcp.metrics.network.received.bytes - target_field: gcp.storage.network.received.bytes - ignore_missing: true - - rename: - field: gcp.metrics.network.sent.bytes - target_field: gcp.storage.network.sent.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.object.count - target_field: gcp.storage.storage.object.count - ignore_missing: true - - rename: - field: gcp.metrics.storage.total_byte_seconds.bytes - target_field: gcp.storage.storage.total_byte_seconds.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.total.bytes - target_field: gcp.storage.storage.total.bytes - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.3/data_stream/storage/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.10-beta.3/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/docs/README.md b/packages/gcp/2.11.10-beta.3/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/docs/audit.md b/packages/gcp/2.11.10-beta.3/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/docs/billing.md b/packages/gcp/2.11.10-beta.3/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.3/docs/compute.md b/packages/gcp/2.11.10-beta.3/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.3/docs/dataproc.md b/packages/gcp/2.11.10-beta.3/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.3/docs/dns.md b/packages/gcp/2.11.10-beta.3/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/docs/firestore.md b/packages/gcp/2.11.10-beta.3/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.3/docs/firewall.md b/packages/gcp/2.11.10-beta.3/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/docs/gke.md b/packages/gcp/2.11.10-beta.3/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.3/docs/loadbalancing.md b/packages/gcp/2.11.10-beta.3/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.3/docs/pubsub.md b/packages/gcp/2.11.10-beta.3/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.3/docs/storage.md b/packages/gcp/2.11.10-beta.3/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.3/docs/vpcflow.md b/packages/gcp/2.11.10-beta.3/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.10-beta.3/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/img/filebeat-gcp-audit.png b/packages/gcp/2.11.10-beta.3/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.10-beta.3/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.3/img/gcp-billing.png b/packages/gcp/2.11.10-beta.3/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.10-beta.3/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.3/img/gcp-compute.png b/packages/gcp/2.11.10-beta.3/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.10-beta.3/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.3/img/logo_gcp.svg b/packages/gcp/2.11.10-beta.3/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.10-beta.3/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.10-beta.3/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.10-beta.3/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.10-beta.3/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.3/manifest.yml b/packages/gcp/2.11.10-beta.3/manifest.yml deleted file mode 100755 index dc72a86ed5..0000000000 --- a/packages/gcp/2.11.10-beta.3/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.10-beta.3" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.10-beta.4/LICENSE.txt b/packages/gcp/2.11.10-beta.4/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.10-beta.4/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.10-beta.4/changelog.yml b/packages/gcp/2.11.10-beta.4/changelog.yml deleted file mode 100755 index 8a81dff714..0000000000 --- a/packages/gcp/2.11.10-beta.4/changelog.yml +++ /dev/null @@ -1,317 +0,0 @@ -# newer versions go on top -- version: "2.11.10-beta.4" - changes: - - description: Add GCP PubSub ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4349 -- version: "2.11.10-beta.3" - changes: - - description: Add GCP Storage ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4348 -- version: "2.11.10-beta.2" - changes: - - description: Add GCP Firestore ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4347 -- version: "2.11.10-beta.1" - changes: - - description: Add GCP Compute ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4343 -- version: "2.11.9" - changes: - - description: Fix GKE kubernetes.io indentation. - type: bugfix - link: https://github.com/elastic/integrations/pull/4355 -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.4/data_stream/audit/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/billing/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.10-beta.4/data_stream/billing/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/compute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 941808c0d2..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -description: Pipeline for parsing GCP Compute metrics. -processors: - - rename: - field: gcp.metrics.firewall.dropped.bytes - target_field: gcp.compute.firewall.dropped.bytes - ignore_missing: true - - rename: - field: gcp.metrics.firewall.dropped_packets_count.value - target_field: gcp.compute.firewall.dropped_packets_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.reserved_cores.value - target_field: gcp.compute.instance.cpu.reserved_cores.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage_time.sec - target_field: gcp.compute.instance.cpu.usage_time.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage.pct - target_field: gcp.compute.instance.cpu.usage.pct - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read.bytes - target_field: gcp.compute.instance.disk.read.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read_ops_count.value - target_field: gcp.compute.instance.disk.read_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write.bytes - target_field: gcp.compute.instance.disk.write.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write_ops_count.value - target_field: gcp.compute.instance.disk.write_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_size.value - target_field: gcp.compute.instance.memory.balloon.ram_size.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_used.value - target_field: gcp.compute.instance.memory.balloon.ram_used.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_in.bytes - target_field: gcp.compute.instance.memory.balloon.swap_in.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_out.bytes - target_field: gcp.compute.instance.memory.balloon.swap_out.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.bytes - target_field: gcp.compute.instance.network.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.packets.count - target_field: gcp.compute.instance.network.ingress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.bytes - target_field: gcp.compute.instance.network.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.packets.count - target_field: gcp.compute.instance.network.egress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime.sec - target_field: gcp.compute.instance.uptime.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime_total.sec - target_field: gcp.compute.instance.uptime_total.sec - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.4/data_stream/compute/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dns/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.4/data_stream/dns/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8556ebb766..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -description: Pipeline for parsing GCP Firestore metrics. -processors: - - rename: - field: gcp.metrics.document.delete.count - target_field: gcp.firestore.document.delete.count - ignore_missing: true - - rename: - field: gcp.metrics.document.read.count - target_field: gcp.firestore.document.read.count - ignore_missing: true - - rename: - field: gcp.metrics.document.write.count - target_field: gcp.firestore.document.write.count - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firestore/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.4/data_stream/firewall/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 0046ac8843..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/gke/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.4/data_stream/gke/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 41c81b4d9b..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- -description: Pipeline for parsing GCP PubSub metrics. -processors: - - rename: - field: gcp.metrics.snapshot.backlog.bytes - target_field: gcp.pubsub.snapshot.backlog.bytes - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.backlog_bytes_by_region.bytes - target_field: gcp.pubsub.snapshot.backlog_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.config_updates.count - target_field: gcp.pubsub.snapshot.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.num_messages.value - target_field: gcp.pubsub.snapshot.num_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.num_messages_by_region.value - target_field: gcp.pubsub.snapshot.num_messages_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.oldest_message_age.sec - target_field: gcp.pubsub.snapshot.oldest_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.oldest_message_age_by_region.sec - target_field: gcp.pubsub.snapshot.oldest_message_age_by_region.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.ack_message.count - target_field: gcp.pubsub.subscription.ack_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.backlog.bytes - target_field: gcp.pubsub.subscription.backlog.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.byte_cost.bytes - target_field: gcp.pubsub.subscription.byte_cost.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.config_updates.count - target_field: gcp.pubsub.subscription.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.dead_letter_message.count - target_field: gcp.pubsub.subscription.dead_letter_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_message.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_message_operation.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_request.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.num_outstanding_messages.value - target_field: gcp.pubsub.subscription.num_outstanding_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.num_undelivered_messages.value - target_field: gcp.pubsub.subscription.num_undelivered_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_retained_acked_message_age.sec - target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_retained_acked_message_age_by_region.value - target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_unacked_message_age.sec - target_field: gcp.pubsub.subscription.oldest_unacked_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_unacked_message_age_by_region.value - target_field: gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_ack_message_operation.count - target_field: gcp.pubsub.subscription.pull_ack_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_ack_request.count - target_field: gcp.pubsub.subscription.pull_ack_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_message_operation.count - target_field: gcp.pubsub.subscription.pull_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_request.count - target_field: gcp.pubsub.subscription.pull_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.push_request.count - target_field: gcp.pubsub.subscription.push_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.retained_acked.bytes - target_field: gcp.pubsub.subscription.retained_acked.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.retained_acked_bytes_by_region.bytes - target_field: gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.seek_request.count - target_field: gcp.pubsub.subscription.seek_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.sent_message.count - target_field: gcp.pubsub.subscription.sent_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_ack_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_ack_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_ack_request.count - target_field: gcp.pubsub.subscription.streaming_pull_ack_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_request.count - target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_response.count - target_field: gcp.pubsub.subscription.streaming_pull_response.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.unacked_bytes_by_region.bytes - target_field: gcp.pubsub.subscription.unacked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.byte_cost.bytes - target_field: gcp.pubsub.topic.byte_cost.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.config_updates.count - target_field: gcp.pubsub.topic.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.message_sizes.bytes - target_field: gcp.pubsub.topic.message_sizes.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.oldest_retained_acked_message_age_by_region.value - target_field: gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.topic.oldest_unacked_message_age_by_region.value - target_field: gcp.pubsub.topic.oldest_unacked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.topic.retained_acked_bytes_by_region.bytes - target_field: gcp.pubsub.topic.retained_acked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.send_message_operation.count - target_field: gcp.pubsub.topic.send_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.send_request.count - target_field: gcp.pubsub.topic.send_request.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.streaming_pull_response.count - target_field: gcp.pubsub.topic.streaming_pull_response.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.unacked_bytes_by_region.bytes - target_field: gcp.pubsub.topic.unacked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.ack_latencies.value - target_field: gcp.pubsub.subscription.ack_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.push_request_latencies.value - target_field: gcp.pubsub.subscription.push_request_latencies.value - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/storage/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 011741d2b4..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -description: Pipeline for parsing GCP Storage metrics. -processors: - - rename: - field: gcp.metrics.api.request.count - target_field: gcp.storage.api.request.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_based_object_access.count - target_field: gcp.storage.authz.acl_based_object_access.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_operations.count - target_field: gcp.storage.authz.acl_operations.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.object_specific_acl_mutation.count - target_field: gcp.storage.authz.object_specific_acl_mutation.count - ignore_missing: true - - rename: - field: gcp.metrics.network.received.bytes - target_field: gcp.storage.network.received.bytes - ignore_missing: true - - rename: - field: gcp.metrics.network.sent.bytes - target_field: gcp.storage.network.sent.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.object.count - target_field: gcp.storage.storage.object.count - ignore_missing: true - - rename: - field: gcp.metrics.storage.total_byte_seconds.bytes - target_field: gcp.storage.storage.total_byte_seconds.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.total.bytes - target_field: gcp.storage.storage.total.bytes - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.4/data_stream/storage/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.10-beta.4/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/docs/README.md b/packages/gcp/2.11.10-beta.4/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/docs/audit.md b/packages/gcp/2.11.10-beta.4/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/docs/billing.md b/packages/gcp/2.11.10-beta.4/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.4/docs/compute.md b/packages/gcp/2.11.10-beta.4/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.4/docs/dataproc.md b/packages/gcp/2.11.10-beta.4/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.4/docs/dns.md b/packages/gcp/2.11.10-beta.4/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/docs/firestore.md b/packages/gcp/2.11.10-beta.4/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.4/docs/firewall.md b/packages/gcp/2.11.10-beta.4/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/docs/gke.md b/packages/gcp/2.11.10-beta.4/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.4/docs/loadbalancing.md b/packages/gcp/2.11.10-beta.4/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.4/docs/pubsub.md b/packages/gcp/2.11.10-beta.4/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.4/docs/storage.md b/packages/gcp/2.11.10-beta.4/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.4/docs/vpcflow.md b/packages/gcp/2.11.10-beta.4/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.10-beta.4/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/img/filebeat-gcp-audit.png b/packages/gcp/2.11.10-beta.4/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.10-beta.4/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.4/img/gcp-billing.png b/packages/gcp/2.11.10-beta.4/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.10-beta.4/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.4/img/gcp-compute.png b/packages/gcp/2.11.10-beta.4/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.10-beta.4/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.4/img/logo_gcp.svg b/packages/gcp/2.11.10-beta.4/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.10-beta.4/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.10-beta.4/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.10-beta.4/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.10-beta.4/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.4/manifest.yml b/packages/gcp/2.11.10-beta.4/manifest.yml deleted file mode 100755 index 6e6438d10d..0000000000 --- a/packages/gcp/2.11.10-beta.4/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.10-beta.4" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.10-beta.5/LICENSE.txt b/packages/gcp/2.11.10-beta.5/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.10-beta.5/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.10-beta.5/changelog.yml b/packages/gcp/2.11.10-beta.5/changelog.yml deleted file mode 100755 index a084f493b1..0000000000 --- a/packages/gcp/2.11.10-beta.5/changelog.yml +++ /dev/null @@ -1,322 +0,0 @@ -# newer versions go on top -- version: "2.11.10-beta.5" - changes: - - description: Add GCP loadbalancing ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4350 -- version: "2.11.10-beta.4" - changes: - - description: Add GCP PubSub ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4349 -- version: "2.11.10-beta.3" - changes: - - description: Add GCP Storage ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4348 -- version: "2.11.10-beta.2" - changes: - - description: Add GCP Firestore ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4347 -- version: "2.11.10-beta.1" - changes: - - description: Add GCP Compute ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4343 -- version: "2.11.9" - changes: - - description: Fix GKE kubernetes.io indentation. - type: bugfix - link: https://github.com/elastic/integrations/pull/4355 -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.5/data_stream/audit/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/billing/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.10-beta.5/data_stream/billing/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/compute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 941808c0d2..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -description: Pipeline for parsing GCP Compute metrics. -processors: - - rename: - field: gcp.metrics.firewall.dropped.bytes - target_field: gcp.compute.firewall.dropped.bytes - ignore_missing: true - - rename: - field: gcp.metrics.firewall.dropped_packets_count.value - target_field: gcp.compute.firewall.dropped_packets_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.reserved_cores.value - target_field: gcp.compute.instance.cpu.reserved_cores.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage_time.sec - target_field: gcp.compute.instance.cpu.usage_time.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage.pct - target_field: gcp.compute.instance.cpu.usage.pct - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read.bytes - target_field: gcp.compute.instance.disk.read.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read_ops_count.value - target_field: gcp.compute.instance.disk.read_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write.bytes - target_field: gcp.compute.instance.disk.write.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write_ops_count.value - target_field: gcp.compute.instance.disk.write_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_size.value - target_field: gcp.compute.instance.memory.balloon.ram_size.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_used.value - target_field: gcp.compute.instance.memory.balloon.ram_used.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_in.bytes - target_field: gcp.compute.instance.memory.balloon.swap_in.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_out.bytes - target_field: gcp.compute.instance.memory.balloon.swap_out.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.bytes - target_field: gcp.compute.instance.network.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.packets.count - target_field: gcp.compute.instance.network.ingress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.bytes - target_field: gcp.compute.instance.network.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.packets.count - target_field: gcp.compute.instance.network.egress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime.sec - target_field: gcp.compute.instance.uptime.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime_total.sec - target_field: gcp.compute.instance.uptime_total.sec - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.5/data_stream/compute/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dns/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.5/data_stream/dns/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8556ebb766..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -description: Pipeline for parsing GCP Firestore metrics. -processors: - - rename: - field: gcp.metrics.document.delete.count - target_field: gcp.firestore.document.delete.count - ignore_missing: true - - rename: - field: gcp.metrics.document.read.count - target_field: gcp.firestore.document.read.count - ignore_missing: true - - rename: - field: gcp.metrics.document.write.count - target_field: gcp.firestore.document.write.count - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firestore/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.5/data_stream/firewall/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 0046ac8843..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/gke/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.5/data_stream/gke/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 81bd6368c6..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- -description: Pipeline for parsing GCP Loadbalancing metrics. -processors: - - rename: - field: gcp.metrics.https.backend_request.bytes - target_field: gcp.loadbalancing_metrics.https.backend_request.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_request.count - target_field: gcp.loadbalancing_metrics.https.backend_request.count - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_response.bytes - target_field: gcp.loadbalancing_metrics.https.backend_response.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.request.bytes - target_field: gcp.loadbalancing_metrics.https.request.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.request.count - target_field: gcp.loadbalancing_metrics.https.request.count - ignore_missing: true - - rename: - field: gcp.metrics.https.response.bytes - target_field: gcp.loadbalancing_metrics.https.response.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.egress.bytes - target_field: gcp.loadbalancing_metrics.l3.external.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.egress_packets.count - target_field: gcp.loadbalancing_metrics.l3.external.egress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.ingress.bytes - target_field: gcp.loadbalancing_metrics.l3.external.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.ingress_packets.count - target_field: gcp.loadbalancing_metrics.l3.external.ingress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.egress.bytes - target_field: gcp.loadbalancing_metrics.l3.internal.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.egress_packets.count - target_field: gcp.loadbalancing_metrics.l3.internal.egress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.ingress.bytes - target_field: gcp.loadbalancing_metrics.l3.internal.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.ingress_packets.count - target_field: gcp.loadbalancing_metrics.l3.internal.ingress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.closed_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.closed_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.egress.bytes - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.ingress.bytes - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.new_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.new_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.open_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.open_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.external.regional.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.external.regional.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.external.regional.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.external.regional.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.frontend_tcp_rtt.value - target_field: gcp.loadbalancing_metrics.https.frontend_tcp_rtt.value - ignore_missing: true - - rename: - field: gcp.metrics.https.internal.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.internal.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.internal.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.internal.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.rtt_latencies.value - target_field: gcp.loadbalancing_metrics.l3.external.rtt_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.rtt_latencies.value - target_field: gcp.loadbalancing_metrics.l3.internal.rtt_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.frontend_tcp_rtt.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.frontend_tcp_rtt.value - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 41c81b4d9b..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- -description: Pipeline for parsing GCP PubSub metrics. -processors: - - rename: - field: gcp.metrics.snapshot.backlog.bytes - target_field: gcp.pubsub.snapshot.backlog.bytes - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.backlog_bytes_by_region.bytes - target_field: gcp.pubsub.snapshot.backlog_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.config_updates.count - target_field: gcp.pubsub.snapshot.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.num_messages.value - target_field: gcp.pubsub.snapshot.num_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.num_messages_by_region.value - target_field: gcp.pubsub.snapshot.num_messages_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.oldest_message_age.sec - target_field: gcp.pubsub.snapshot.oldest_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.oldest_message_age_by_region.sec - target_field: gcp.pubsub.snapshot.oldest_message_age_by_region.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.ack_message.count - target_field: gcp.pubsub.subscription.ack_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.backlog.bytes - target_field: gcp.pubsub.subscription.backlog.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.byte_cost.bytes - target_field: gcp.pubsub.subscription.byte_cost.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.config_updates.count - target_field: gcp.pubsub.subscription.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.dead_letter_message.count - target_field: gcp.pubsub.subscription.dead_letter_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_message.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_message_operation.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_request.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.num_outstanding_messages.value - target_field: gcp.pubsub.subscription.num_outstanding_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.num_undelivered_messages.value - target_field: gcp.pubsub.subscription.num_undelivered_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_retained_acked_message_age.sec - target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_retained_acked_message_age_by_region.value - target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_unacked_message_age.sec - target_field: gcp.pubsub.subscription.oldest_unacked_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_unacked_message_age_by_region.value - target_field: gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_ack_message_operation.count - target_field: gcp.pubsub.subscription.pull_ack_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_ack_request.count - target_field: gcp.pubsub.subscription.pull_ack_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_message_operation.count - target_field: gcp.pubsub.subscription.pull_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_request.count - target_field: gcp.pubsub.subscription.pull_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.push_request.count - target_field: gcp.pubsub.subscription.push_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.retained_acked.bytes - target_field: gcp.pubsub.subscription.retained_acked.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.retained_acked_bytes_by_region.bytes - target_field: gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.seek_request.count - target_field: gcp.pubsub.subscription.seek_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.sent_message.count - target_field: gcp.pubsub.subscription.sent_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_ack_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_ack_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_ack_request.count - target_field: gcp.pubsub.subscription.streaming_pull_ack_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_request.count - target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_response.count - target_field: gcp.pubsub.subscription.streaming_pull_response.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.unacked_bytes_by_region.bytes - target_field: gcp.pubsub.subscription.unacked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.byte_cost.bytes - target_field: gcp.pubsub.topic.byte_cost.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.config_updates.count - target_field: gcp.pubsub.topic.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.message_sizes.bytes - target_field: gcp.pubsub.topic.message_sizes.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.oldest_retained_acked_message_age_by_region.value - target_field: gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.topic.oldest_unacked_message_age_by_region.value - target_field: gcp.pubsub.topic.oldest_unacked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.topic.retained_acked_bytes_by_region.bytes - target_field: gcp.pubsub.topic.retained_acked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.send_message_operation.count - target_field: gcp.pubsub.topic.send_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.send_request.count - target_field: gcp.pubsub.topic.send_request.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.streaming_pull_response.count - target_field: gcp.pubsub.topic.streaming_pull_response.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.unacked_bytes_by_region.bytes - target_field: gcp.pubsub.topic.unacked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.ack_latencies.value - target_field: gcp.pubsub.subscription.ack_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.push_request_latencies.value - target_field: gcp.pubsub.subscription.push_request_latencies.value - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/storage/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 011741d2b4..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -description: Pipeline for parsing GCP Storage metrics. -processors: - - rename: - field: gcp.metrics.api.request.count - target_field: gcp.storage.api.request.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_based_object_access.count - target_field: gcp.storage.authz.acl_based_object_access.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_operations.count - target_field: gcp.storage.authz.acl_operations.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.object_specific_acl_mutation.count - target_field: gcp.storage.authz.object_specific_acl_mutation.count - ignore_missing: true - - rename: - field: gcp.metrics.network.received.bytes - target_field: gcp.storage.network.received.bytes - ignore_missing: true - - rename: - field: gcp.metrics.network.sent.bytes - target_field: gcp.storage.network.sent.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.object.count - target_field: gcp.storage.storage.object.count - ignore_missing: true - - rename: - field: gcp.metrics.storage.total_byte_seconds.bytes - target_field: gcp.storage.storage.total_byte_seconds.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.total.bytes - target_field: gcp.storage.storage.total.bytes - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.5/data_stream/storage/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.10-beta.5/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/docs/README.md b/packages/gcp/2.11.10-beta.5/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/docs/audit.md b/packages/gcp/2.11.10-beta.5/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/docs/billing.md b/packages/gcp/2.11.10-beta.5/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.5/docs/compute.md b/packages/gcp/2.11.10-beta.5/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.5/docs/dataproc.md b/packages/gcp/2.11.10-beta.5/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.5/docs/dns.md b/packages/gcp/2.11.10-beta.5/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/docs/firestore.md b/packages/gcp/2.11.10-beta.5/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.5/docs/firewall.md b/packages/gcp/2.11.10-beta.5/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/docs/gke.md b/packages/gcp/2.11.10-beta.5/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.5/docs/loadbalancing.md b/packages/gcp/2.11.10-beta.5/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.5/docs/pubsub.md b/packages/gcp/2.11.10-beta.5/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.5/docs/storage.md b/packages/gcp/2.11.10-beta.5/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.5/docs/vpcflow.md b/packages/gcp/2.11.10-beta.5/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.10-beta.5/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/img/filebeat-gcp-audit.png b/packages/gcp/2.11.10-beta.5/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.10-beta.5/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.5/img/gcp-billing.png b/packages/gcp/2.11.10-beta.5/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.10-beta.5/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.5/img/gcp-compute.png b/packages/gcp/2.11.10-beta.5/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.10-beta.5/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.5/img/logo_gcp.svg b/packages/gcp/2.11.10-beta.5/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.10-beta.5/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.10-beta.5/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.10-beta.5/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.10-beta.5/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.5/manifest.yml b/packages/gcp/2.11.10-beta.5/manifest.yml deleted file mode 100755 index fa0cc4a024..0000000000 --- a/packages/gcp/2.11.10-beta.5/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.10-beta.5" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.10-beta.6/LICENSE.txt b/packages/gcp/2.11.10-beta.6/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.10-beta.6/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.10-beta.6/changelog.yml b/packages/gcp/2.11.10-beta.6/changelog.yml deleted file mode 100755 index f3ff62d054..0000000000 --- a/packages/gcp/2.11.10-beta.6/changelog.yml +++ /dev/null @@ -1,327 +0,0 @@ -# newer versions go on top -- version: "2.11.10-beta.6" - changes: - - description: Add ingest pipeline for dataproc. - type: enhancement - link: https://github.com/elastic/integrations/pull/4344 -- version: "2.11.10-beta.5" - changes: - - description: Add GCP loadbalancing ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4350 -- version: "2.11.10-beta.4" - changes: - - description: Add GCP PubSub ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4349 -- version: "2.11.10-beta.3" - changes: - - description: Add GCP Storage ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4348 -- version: "2.11.10-beta.2" - changes: - - description: Add GCP Firestore ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4347 -- version: "2.11.10-beta.1" - changes: - - description: Add GCP Compute ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4343 -- version: "2.11.9" - changes: - - description: Fix GKE kubernetes.io indentation. - type: bugfix - link: https://github.com/elastic/integrations/pull/4355 -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.6/data_stream/audit/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/billing/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.10-beta.6/data_stream/billing/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/compute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 941808c0d2..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -description: Pipeline for parsing GCP Compute metrics. -processors: - - rename: - field: gcp.metrics.firewall.dropped.bytes - target_field: gcp.compute.firewall.dropped.bytes - ignore_missing: true - - rename: - field: gcp.metrics.firewall.dropped_packets_count.value - target_field: gcp.compute.firewall.dropped_packets_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.reserved_cores.value - target_field: gcp.compute.instance.cpu.reserved_cores.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage_time.sec - target_field: gcp.compute.instance.cpu.usage_time.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage.pct - target_field: gcp.compute.instance.cpu.usage.pct - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read.bytes - target_field: gcp.compute.instance.disk.read.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read_ops_count.value - target_field: gcp.compute.instance.disk.read_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write.bytes - target_field: gcp.compute.instance.disk.write.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write_ops_count.value - target_field: gcp.compute.instance.disk.write_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_size.value - target_field: gcp.compute.instance.memory.balloon.ram_size.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_used.value - target_field: gcp.compute.instance.memory.balloon.ram_used.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_in.bytes - target_field: gcp.compute.instance.memory.balloon.swap_in.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_out.bytes - target_field: gcp.compute.instance.memory.balloon.swap_out.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.bytes - target_field: gcp.compute.instance.network.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.packets.count - target_field: gcp.compute.instance.network.ingress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.bytes - target_field: gcp.compute.instance.network.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.packets.count - target_field: gcp.compute.instance.network.egress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime.sec - target_field: gcp.compute.instance.uptime.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime_total.sec - target_field: gcp.compute.instance.uptime_total.sec - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.6/data_stream/compute/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2bf0693774..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -description: Pipeline for parsing GCP Dataproc metrics. -processors: - - rename: - field: gcp.metrics.batch.spark.executors.count - target_field: gcp.dataproc.batch.spark.executors.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.hdfs.datanodes.count - target_field: gcp.dataproc.cluster.hdfs.datanodes.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.hdfs.storage_capacity.value - target_field: gcp.dataproc.cluster.hdfs.storage_capacity.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.hdfs.storage_utilization.value - target_field: gcp.dataproc.cluster.hdfs.storage_utilization.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.hdfs.unhealthy_blocks.count - target_field: gcp.dataproc.cluster.hdfs.unhealthy_blocks.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.failed.count - target_field: gcp.dataproc.cluster.job.failed.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.running.count - target_field: gcp.dataproc.cluster.job.running.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.submitted.count - target_field: gcp.dataproc.cluster.job.submitted.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.failed.count - target_field: gcp.dataproc.cluster.operation.failed.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.running.count - target_field: gcp.dataproc.cluster.operation.running.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.submitted.count - target_field: gcp.dataproc.cluster.operation.submitted.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.allocated_memory_percentage.value - target_field: gcp.dataproc.cluster.yarn.allocated_memory_percentage.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.apps.count - target_field: gcp.dataproc.cluster.yarn.apps.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.containers.count - target_field: gcp.dataproc.cluster.yarn.containers.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.memory_size.value - target_field: gcp.dataproc.cluster.yarn.memory_size.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.nodemanagers.count - target_field: gcp.dataproc.cluster.yarn.nodemanagers.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.pending_memory_size.value - target_field: gcp.dataproc.cluster.yarn.pending_memory_size.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.virtual_cores.count - target_field: gcp.dataproc.cluster.yarn.virtual_cores.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.completion_time.value - target_field: gcp.dataproc.cluster.job.completion_time.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.duration.value - target_field: gcp.dataproc.cluster.job.duration.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.completion_time.value - target_field: gcp.dataproc.cluster.operation.completion_time.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.duration.value - target_field: gcp.dataproc.cluster.operation.duration.value - ignore_missing: true - - remove: - ignore_missing: true - field: - - gcp.metrics - -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dns/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.6/data_stream/dns/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8556ebb766..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -description: Pipeline for parsing GCP Firestore metrics. -processors: - - rename: - field: gcp.metrics.document.delete.count - target_field: gcp.firestore.document.delete.count - ignore_missing: true - - rename: - field: gcp.metrics.document.read.count - target_field: gcp.firestore.document.read.count - ignore_missing: true - - rename: - field: gcp.metrics.document.write.count - target_field: gcp.firestore.document.write.count - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firestore/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.6/data_stream/firewall/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 0046ac8843..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/gke/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.6/data_stream/gke/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 81bd6368c6..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- -description: Pipeline for parsing GCP Loadbalancing metrics. -processors: - - rename: - field: gcp.metrics.https.backend_request.bytes - target_field: gcp.loadbalancing_metrics.https.backend_request.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_request.count - target_field: gcp.loadbalancing_metrics.https.backend_request.count - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_response.bytes - target_field: gcp.loadbalancing_metrics.https.backend_response.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.request.bytes - target_field: gcp.loadbalancing_metrics.https.request.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.request.count - target_field: gcp.loadbalancing_metrics.https.request.count - ignore_missing: true - - rename: - field: gcp.metrics.https.response.bytes - target_field: gcp.loadbalancing_metrics.https.response.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.egress.bytes - target_field: gcp.loadbalancing_metrics.l3.external.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.egress_packets.count - target_field: gcp.loadbalancing_metrics.l3.external.egress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.ingress.bytes - target_field: gcp.loadbalancing_metrics.l3.external.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.ingress_packets.count - target_field: gcp.loadbalancing_metrics.l3.external.ingress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.egress.bytes - target_field: gcp.loadbalancing_metrics.l3.internal.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.egress_packets.count - target_field: gcp.loadbalancing_metrics.l3.internal.egress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.ingress.bytes - target_field: gcp.loadbalancing_metrics.l3.internal.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.ingress_packets.count - target_field: gcp.loadbalancing_metrics.l3.internal.ingress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.closed_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.closed_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.egress.bytes - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.ingress.bytes - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.new_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.new_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.open_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.open_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.external.regional.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.external.regional.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.external.regional.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.external.regional.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.frontend_tcp_rtt.value - target_field: gcp.loadbalancing_metrics.https.frontend_tcp_rtt.value - ignore_missing: true - - rename: - field: gcp.metrics.https.internal.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.internal.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.internal.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.internal.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.rtt_latencies.value - target_field: gcp.loadbalancing_metrics.l3.external.rtt_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.rtt_latencies.value - target_field: gcp.loadbalancing_metrics.l3.internal.rtt_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.frontend_tcp_rtt.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.frontend_tcp_rtt.value - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 41c81b4d9b..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- -description: Pipeline for parsing GCP PubSub metrics. -processors: - - rename: - field: gcp.metrics.snapshot.backlog.bytes - target_field: gcp.pubsub.snapshot.backlog.bytes - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.backlog_bytes_by_region.bytes - target_field: gcp.pubsub.snapshot.backlog_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.config_updates.count - target_field: gcp.pubsub.snapshot.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.num_messages.value - target_field: gcp.pubsub.snapshot.num_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.num_messages_by_region.value - target_field: gcp.pubsub.snapshot.num_messages_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.oldest_message_age.sec - target_field: gcp.pubsub.snapshot.oldest_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.oldest_message_age_by_region.sec - target_field: gcp.pubsub.snapshot.oldest_message_age_by_region.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.ack_message.count - target_field: gcp.pubsub.subscription.ack_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.backlog.bytes - target_field: gcp.pubsub.subscription.backlog.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.byte_cost.bytes - target_field: gcp.pubsub.subscription.byte_cost.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.config_updates.count - target_field: gcp.pubsub.subscription.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.dead_letter_message.count - target_field: gcp.pubsub.subscription.dead_letter_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_message.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_message_operation.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_request.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.num_outstanding_messages.value - target_field: gcp.pubsub.subscription.num_outstanding_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.num_undelivered_messages.value - target_field: gcp.pubsub.subscription.num_undelivered_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_retained_acked_message_age.sec - target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_retained_acked_message_age_by_region.value - target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_unacked_message_age.sec - target_field: gcp.pubsub.subscription.oldest_unacked_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_unacked_message_age_by_region.value - target_field: gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_ack_message_operation.count - target_field: gcp.pubsub.subscription.pull_ack_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_ack_request.count - target_field: gcp.pubsub.subscription.pull_ack_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_message_operation.count - target_field: gcp.pubsub.subscription.pull_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_request.count - target_field: gcp.pubsub.subscription.pull_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.push_request.count - target_field: gcp.pubsub.subscription.push_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.retained_acked.bytes - target_field: gcp.pubsub.subscription.retained_acked.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.retained_acked_bytes_by_region.bytes - target_field: gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.seek_request.count - target_field: gcp.pubsub.subscription.seek_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.sent_message.count - target_field: gcp.pubsub.subscription.sent_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_ack_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_ack_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_ack_request.count - target_field: gcp.pubsub.subscription.streaming_pull_ack_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_request.count - target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_response.count - target_field: gcp.pubsub.subscription.streaming_pull_response.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.unacked_bytes_by_region.bytes - target_field: gcp.pubsub.subscription.unacked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.byte_cost.bytes - target_field: gcp.pubsub.topic.byte_cost.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.config_updates.count - target_field: gcp.pubsub.topic.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.message_sizes.bytes - target_field: gcp.pubsub.topic.message_sizes.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.oldest_retained_acked_message_age_by_region.value - target_field: gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.topic.oldest_unacked_message_age_by_region.value - target_field: gcp.pubsub.topic.oldest_unacked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.topic.retained_acked_bytes_by_region.bytes - target_field: gcp.pubsub.topic.retained_acked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.send_message_operation.count - target_field: gcp.pubsub.topic.send_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.send_request.count - target_field: gcp.pubsub.topic.send_request.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.streaming_pull_response.count - target_field: gcp.pubsub.topic.streaming_pull_response.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.unacked_bytes_by_region.bytes - target_field: gcp.pubsub.topic.unacked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.ack_latencies.value - target_field: gcp.pubsub.subscription.ack_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.push_request_latencies.value - target_field: gcp.pubsub.subscription.push_request_latencies.value - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/storage/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 011741d2b4..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -description: Pipeline for parsing GCP Storage metrics. -processors: - - rename: - field: gcp.metrics.api.request.count - target_field: gcp.storage.api.request.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_based_object_access.count - target_field: gcp.storage.authz.acl_based_object_access.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_operations.count - target_field: gcp.storage.authz.acl_operations.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.object_specific_acl_mutation.count - target_field: gcp.storage.authz.object_specific_acl_mutation.count - ignore_missing: true - - rename: - field: gcp.metrics.network.received.bytes - target_field: gcp.storage.network.received.bytes - ignore_missing: true - - rename: - field: gcp.metrics.network.sent.bytes - target_field: gcp.storage.network.sent.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.object.count - target_field: gcp.storage.storage.object.count - ignore_missing: true - - rename: - field: gcp.metrics.storage.total_byte_seconds.bytes - target_field: gcp.storage.storage.total_byte_seconds.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.total.bytes - target_field: gcp.storage.storage.total.bytes - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10-beta.6/data_stream/storage/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.10-beta.6/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/docs/README.md b/packages/gcp/2.11.10-beta.6/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/docs/audit.md b/packages/gcp/2.11.10-beta.6/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/docs/billing.md b/packages/gcp/2.11.10-beta.6/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.6/docs/compute.md b/packages/gcp/2.11.10-beta.6/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.6/docs/dataproc.md b/packages/gcp/2.11.10-beta.6/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.6/docs/dns.md b/packages/gcp/2.11.10-beta.6/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/docs/firestore.md b/packages/gcp/2.11.10-beta.6/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.6/docs/firewall.md b/packages/gcp/2.11.10-beta.6/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/docs/gke.md b/packages/gcp/2.11.10-beta.6/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.6/docs/loadbalancing.md b/packages/gcp/2.11.10-beta.6/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.6/docs/pubsub.md b/packages/gcp/2.11.10-beta.6/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.6/docs/storage.md b/packages/gcp/2.11.10-beta.6/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10-beta.6/docs/vpcflow.md b/packages/gcp/2.11.10-beta.6/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.10-beta.6/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/img/filebeat-gcp-audit.png b/packages/gcp/2.11.10-beta.6/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.10-beta.6/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.6/img/gcp-billing.png b/packages/gcp/2.11.10-beta.6/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.10-beta.6/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.6/img/gcp-compute.png b/packages/gcp/2.11.10-beta.6/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.10-beta.6/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.10-beta.6/img/logo_gcp.svg b/packages/gcp/2.11.10-beta.6/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.10-beta.6/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.10-beta.6/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.10-beta.6/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.10-beta.6/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10-beta.6/manifest.yml b/packages/gcp/2.11.10-beta.6/manifest.yml deleted file mode 100755 index cdfe239ba5..0000000000 --- a/packages/gcp/2.11.10-beta.6/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.10-beta.6" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.10/LICENSE.txt b/packages/gcp/2.11.10/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.10/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.10/changelog.yml b/packages/gcp/2.11.10/changelog.yml deleted file mode 100755 index 9f0e00e516..0000000000 --- a/packages/gcp/2.11.10/changelog.yml +++ /dev/null @@ -1,347 +0,0 @@ -# newer versions go on top -- version: "2.11.10" - changes: - - description: Add ingest pipeline for dataproc. - type: enhancement - link: https://github.com/elastic/integrations/pull/4344 - - description: Add GCP loadbalancing ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4350 - - description: Add GCP PubSub ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4349 - - description: Add GCP Storage ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4348 - - description: Add GCP Firestore ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4347 - - description: Add GCP Compute ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4343 -- version: "2.11.10-beta.6" - changes: - - description: Add ingest pipeline for dataproc. - type: enhancement - link: https://github.com/elastic/integrations/pull/4344 -- version: "2.11.10-beta.5" - changes: - - description: Add GCP loadbalancing ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4350 -- version: "2.11.10-beta.4" - changes: - - description: Add GCP PubSub ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4349 -- version: "2.11.10-beta.3" - changes: - - description: Add GCP Storage ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4348 -- version: "2.11.10-beta.2" - changes: - - description: Add GCP Firestore ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4347 -- version: "2.11.10-beta.1" - changes: - - description: Add GCP Compute ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4343 -- version: "2.11.9" - changes: - - description: Fix GKE kubernetes.io indentation. - type: bugfix - link: https://github.com/elastic/integrations/pull/4355 -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.10/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.10/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.10/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.10/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.10/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.10/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10/data_stream/audit/manifest.yml b/packages/gcp/2.11.10/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10/data_stream/audit/sample_event.json b/packages/gcp/2.11.10/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.10/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.10/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.10/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.10/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.10/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.10/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.10/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.10/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.10/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.10/data_stream/billing/manifest.yml b/packages/gcp/2.11.10/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.10/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.10/data_stream/billing/sample_event.json b/packages/gcp/2.11.10/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.10/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.10/data_stream/compute/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/compute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 941808c0d2..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -description: Pipeline for parsing GCP Compute metrics. -processors: - - rename: - field: gcp.metrics.firewall.dropped.bytes - target_field: gcp.compute.firewall.dropped.bytes - ignore_missing: true - - rename: - field: gcp.metrics.firewall.dropped_packets_count.value - target_field: gcp.compute.firewall.dropped_packets_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.reserved_cores.value - target_field: gcp.compute.instance.cpu.reserved_cores.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage_time.sec - target_field: gcp.compute.instance.cpu.usage_time.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.cpu.usage.pct - target_field: gcp.compute.instance.cpu.usage.pct - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read.bytes - target_field: gcp.compute.instance.disk.read.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.read_ops_count.value - target_field: gcp.compute.instance.disk.read_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write.bytes - target_field: gcp.compute.instance.disk.write.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.disk.write_ops_count.value - target_field: gcp.compute.instance.disk.write_ops_count.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_size.value - target_field: gcp.compute.instance.memory.balloon.ram_size.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.ram_used.value - target_field: gcp.compute.instance.memory.balloon.ram_used.value - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_in.bytes - target_field: gcp.compute.instance.memory.balloon.swap_in.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.memory.balloon.swap_out.bytes - target_field: gcp.compute.instance.memory.balloon.swap_out.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.bytes - target_field: gcp.compute.instance.network.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.ingress.packets.count - target_field: gcp.compute.instance.network.ingress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.bytes - target_field: gcp.compute.instance.network.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.instance.network.egress.packets.count - target_field: gcp.compute.instance.network.egress.packets.count - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime.sec - target_field: gcp.compute.instance.uptime.sec - ignore_missing: true - - rename: - field: gcp.metrics.instance.uptime_total.sec - target_field: gcp.compute.instance.uptime_total.sec - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.10/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.10/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.10/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10/data_stream/compute/manifest.yml b/packages/gcp/2.11.10/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10/data_stream/compute/sample_event.json b/packages/gcp/2.11.10/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.10/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2bf0693774..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -description: Pipeline for parsing GCP Dataproc metrics. -processors: - - rename: - field: gcp.metrics.batch.spark.executors.count - target_field: gcp.dataproc.batch.spark.executors.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.hdfs.datanodes.count - target_field: gcp.dataproc.cluster.hdfs.datanodes.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.hdfs.storage_capacity.value - target_field: gcp.dataproc.cluster.hdfs.storage_capacity.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.hdfs.storage_utilization.value - target_field: gcp.dataproc.cluster.hdfs.storage_utilization.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.hdfs.unhealthy_blocks.count - target_field: gcp.dataproc.cluster.hdfs.unhealthy_blocks.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.failed.count - target_field: gcp.dataproc.cluster.job.failed.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.running.count - target_field: gcp.dataproc.cluster.job.running.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.submitted.count - target_field: gcp.dataproc.cluster.job.submitted.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.failed.count - target_field: gcp.dataproc.cluster.operation.failed.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.running.count - target_field: gcp.dataproc.cluster.operation.running.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.submitted.count - target_field: gcp.dataproc.cluster.operation.submitted.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.allocated_memory_percentage.value - target_field: gcp.dataproc.cluster.yarn.allocated_memory_percentage.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.apps.count - target_field: gcp.dataproc.cluster.yarn.apps.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.containers.count - target_field: gcp.dataproc.cluster.yarn.containers.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.memory_size.value - target_field: gcp.dataproc.cluster.yarn.memory_size.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.nodemanagers.count - target_field: gcp.dataproc.cluster.yarn.nodemanagers.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.pending_memory_size.value - target_field: gcp.dataproc.cluster.yarn.pending_memory_size.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.yarn.virtual_cores.count - target_field: gcp.dataproc.cluster.yarn.virtual_cores.count - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.completion_time.value - target_field: gcp.dataproc.cluster.job.completion_time.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.job.duration.value - target_field: gcp.dataproc.cluster.job.duration.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.completion_time.value - target_field: gcp.dataproc.cluster.operation.completion_time.value - ignore_missing: true - - rename: - field: gcp.metrics.cluster.operation.duration.value - target_field: gcp.dataproc.cluster.operation.duration.value - ignore_missing: true - - remove: - ignore_missing: true - field: - - gcp.metrics - -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.10/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.10/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.10/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.10/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.10/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.10/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.10/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.10/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.10/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.10/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.10/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.10/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.10/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.10/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.10/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.10/data_stream/dns/manifest.yml b/packages/gcp/2.11.10/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.10/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10/data_stream/dns/sample_event.json b/packages/gcp/2.11.10/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.10/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8556ebb766..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -description: Pipeline for parsing GCP Firestore metrics. -processors: - - rename: - field: gcp.metrics.document.delete.count - target_field: gcp.firestore.document.delete.count - ignore_missing: true - - rename: - field: gcp.metrics.document.read.count - target_field: gcp.firestore.document.read.count - ignore_missing: true - - rename: - field: gcp.metrics.document.write.count - target_field: gcp.firestore.document.write.count - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.10/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.10/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.10/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.10/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10/data_stream/firestore/manifest.yml b/packages/gcp/2.11.10/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10/data_stream/firestore/sample_event.json b/packages/gcp/2.11.10/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.10/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.10/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.10/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.10/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.10/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10/data_stream/firewall/manifest.yml b/packages/gcp/2.11.10/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10/data_stream/firewall/sample_event.json b/packages/gcp/2.11.10/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.10/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 0046ac8843..0000000000 --- a/packages/gcp/2.11.10/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.10/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.10/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.10/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.10/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.10/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.10/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10/data_stream/gke/manifest.yml b/packages/gcp/2.11.10/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.10/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10/data_stream/gke/sample_event.json b/packages/gcp/2.11.10/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.10/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.10/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 81bd6368c6..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- -description: Pipeline for parsing GCP Loadbalancing metrics. -processors: - - rename: - field: gcp.metrics.https.backend_request.bytes - target_field: gcp.loadbalancing_metrics.https.backend_request.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_request.count - target_field: gcp.loadbalancing_metrics.https.backend_request.count - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_response.bytes - target_field: gcp.loadbalancing_metrics.https.backend_response.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.request.bytes - target_field: gcp.loadbalancing_metrics.https.request.bytes - ignore_missing: true - - rename: - field: gcp.metrics.https.request.count - target_field: gcp.loadbalancing_metrics.https.request.count - ignore_missing: true - - rename: - field: gcp.metrics.https.response.bytes - target_field: gcp.loadbalancing_metrics.https.response.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.egress.bytes - target_field: gcp.loadbalancing_metrics.l3.external.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.egress_packets.count - target_field: gcp.loadbalancing_metrics.l3.external.egress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.ingress.bytes - target_field: gcp.loadbalancing_metrics.l3.external.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.ingress_packets.count - target_field: gcp.loadbalancing_metrics.l3.external.ingress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.egress.bytes - target_field: gcp.loadbalancing_metrics.l3.internal.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.egress_packets.count - target_field: gcp.loadbalancing_metrics.l3.internal.egress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.ingress.bytes - target_field: gcp.loadbalancing_metrics.l3.internal.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.ingress_packets.count - target_field: gcp.loadbalancing_metrics.l3.internal.ingress_packets.count - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.closed_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.closed_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.egress.bytes - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.egress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.ingress.bytes - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.ingress.bytes - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.new_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.new_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.open_connections.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.open_connections.value - ignore_missing: true - - rename: - field: gcp.metrics.https.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.external.regional.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.external.regional.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.external.regional.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.external.regional.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.frontend_tcp_rtt.value - target_field: gcp.loadbalancing_metrics.https.frontend_tcp_rtt.value - ignore_missing: true - - rename: - field: gcp.metrics.https.internal.backend_latencies.value - target_field: gcp.loadbalancing_metrics.https.internal.backend_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.internal.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.internal.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.https.total_latencies.value - target_field: gcp.loadbalancing_metrics.https.total_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.l3.external.rtt_latencies.value - target_field: gcp.loadbalancing_metrics.l3.external.rtt_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.l3.internal.rtt_latencies.value - target_field: gcp.loadbalancing_metrics.l3.internal.rtt_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.tcp_ssl_proxy.frontend_tcp_rtt.value - target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.frontend_tcp_rtt.value - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.10/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 41c81b4d9b..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- -description: Pipeline for parsing GCP PubSub metrics. -processors: - - rename: - field: gcp.metrics.snapshot.backlog.bytes - target_field: gcp.pubsub.snapshot.backlog.bytes - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.backlog_bytes_by_region.bytes - target_field: gcp.pubsub.snapshot.backlog_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.config_updates.count - target_field: gcp.pubsub.snapshot.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.num_messages.value - target_field: gcp.pubsub.snapshot.num_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.num_messages_by_region.value - target_field: gcp.pubsub.snapshot.num_messages_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.oldest_message_age.sec - target_field: gcp.pubsub.snapshot.oldest_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.snapshot.oldest_message_age_by_region.sec - target_field: gcp.pubsub.snapshot.oldest_message_age_by_region.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.ack_message.count - target_field: gcp.pubsub.subscription.ack_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.backlog.bytes - target_field: gcp.pubsub.subscription.backlog.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.byte_cost.bytes - target_field: gcp.pubsub.subscription.byte_cost.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.config_updates.count - target_field: gcp.pubsub.subscription.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.dead_letter_message.count - target_field: gcp.pubsub.subscription.dead_letter_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_message.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_message_operation.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.mod_ack_deadline_request.count - target_field: gcp.pubsub.subscription.mod_ack_deadline_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.num_outstanding_messages.value - target_field: gcp.pubsub.subscription.num_outstanding_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.num_undelivered_messages.value - target_field: gcp.pubsub.subscription.num_undelivered_messages.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_retained_acked_message_age.sec - target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_retained_acked_message_age_by_region.value - target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_unacked_message_age.sec - target_field: gcp.pubsub.subscription.oldest_unacked_message_age.sec - ignore_missing: true - - rename: - field: gcp.metrics.subscription.oldest_unacked_message_age_by_region.value - target_field: gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_ack_message_operation.count - target_field: gcp.pubsub.subscription.pull_ack_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_ack_request.count - target_field: gcp.pubsub.subscription.pull_ack_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_message_operation.count - target_field: gcp.pubsub.subscription.pull_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.pull_request.count - target_field: gcp.pubsub.subscription.pull_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.push_request.count - target_field: gcp.pubsub.subscription.push_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.retained_acked.bytes - target_field: gcp.pubsub.subscription.retained_acked.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.retained_acked_bytes_by_region.bytes - target_field: gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.seek_request.count - target_field: gcp.pubsub.subscription.seek_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.sent_message.count - target_field: gcp.pubsub.subscription.sent_message.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_ack_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_ack_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_ack_request.count - target_field: gcp.pubsub.subscription.streaming_pull_ack_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_message_operation.count - target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_request.count - target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.streaming_pull_response.count - target_field: gcp.pubsub.subscription.streaming_pull_response.count - ignore_missing: true - - rename: - field: gcp.metrics.subscription.unacked_bytes_by_region.bytes - target_field: gcp.pubsub.subscription.unacked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.byte_cost.bytes - target_field: gcp.pubsub.topic.byte_cost.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.config_updates.count - target_field: gcp.pubsub.topic.config_updates.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.message_sizes.bytes - target_field: gcp.pubsub.topic.message_sizes.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.oldest_retained_acked_message_age_by_region.value - target_field: gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.topic.oldest_unacked_message_age_by_region.value - target_field: gcp.pubsub.topic.oldest_unacked_message_age_by_region.value - ignore_missing: true - - rename: - field: gcp.metrics.topic.retained_acked_bytes_by_region.bytes - target_field: gcp.pubsub.topic.retained_acked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.topic.send_message_operation.count - target_field: gcp.pubsub.topic.send_message_operation.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.send_request.count - target_field: gcp.pubsub.topic.send_request.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.streaming_pull_response.count - target_field: gcp.pubsub.topic.streaming_pull_response.count - ignore_missing: true - - rename: - field: gcp.metrics.topic.unacked_bytes_by_region.bytes - target_field: gcp.pubsub.topic.unacked_bytes_by_region.bytes - ignore_missing: true - - rename: - field: gcp.metrics.subscription.ack_latencies.value - target_field: gcp.pubsub.subscription.ack_latencies.value - ignore_missing: true - - rename: - field: gcp.metrics.subscription.push_request_latencies.value - target_field: gcp.pubsub.subscription.push_request_latencies.value - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.10/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.10/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.10/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.10/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.10/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.10/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.10/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.10/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/storage/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/storage/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 011741d2b4..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -description: Pipeline for parsing GCP Storage metrics. -processors: - - rename: - field: gcp.metrics.api.request.count - target_field: gcp.storage.api.request.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_based_object_access.count - target_field: gcp.storage.authz.acl_based_object_access.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.acl_operations.count - target_field: gcp.storage.authz.acl_operations.count - ignore_missing: true - - rename: - field: gcp.metrics.authz.object_specific_acl_mutation.count - target_field: gcp.storage.authz.object_specific_acl_mutation.count - ignore_missing: true - - rename: - field: gcp.metrics.network.received.bytes - target_field: gcp.storage.network.received.bytes - ignore_missing: true - - rename: - field: gcp.metrics.network.sent.bytes - target_field: gcp.storage.network.sent.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.object.count - target_field: gcp.storage.storage.object.count - ignore_missing: true - - rename: - field: gcp.metrics.storage.total_byte_seconds.bytes - target_field: gcp.storage.storage.total_byte_seconds.bytes - ignore_missing: true - - rename: - field: gcp.metrics.storage.total.bytes - target_field: gcp.storage.storage.total.bytes - ignore_missing: true - - remove: - field: - - gcp.metrics - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.10/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.10/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.10/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.10/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.10/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.10/data_stream/storage/manifest.yml b/packages/gcp/2.11.10/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.10/data_stream/storage/sample_event.json b/packages/gcp/2.11.10/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.10/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.10/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.10/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.10/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.10/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.10/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.10/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.10/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.10/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.10/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.10/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.10/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/docs/README.md b/packages/gcp/2.11.10/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.10/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10/docs/audit.md b/packages/gcp/2.11.10/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.10/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10/docs/billing.md b/packages/gcp/2.11.10/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.10/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10/docs/compute.md b/packages/gcp/2.11.10/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.10/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10/docs/dataproc.md b/packages/gcp/2.11.10/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.10/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10/docs/dns.md b/packages/gcp/2.11.10/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.10/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10/docs/firestore.md b/packages/gcp/2.11.10/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.10/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10/docs/firewall.md b/packages/gcp/2.11.10/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.10/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10/docs/gke.md b/packages/gcp/2.11.10/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.10/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10/docs/loadbalancing.md b/packages/gcp/2.11.10/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.10/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10/docs/pubsub.md b/packages/gcp/2.11.10/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.10/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10/docs/storage.md b/packages/gcp/2.11.10/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.10/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.10/docs/vpcflow.md b/packages/gcp/2.11.10/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.10/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.10/img/filebeat-gcp-audit.png b/packages/gcp/2.11.10/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.10/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.10/img/gcp-billing.png b/packages/gcp/2.11.10/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.10/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.10/img/gcp-compute.png b/packages/gcp/2.11.10/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.10/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.10/img/logo_gcp.svg b/packages/gcp/2.11.10/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.10/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.10/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.10/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.10/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.10/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.10/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.10/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.10/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.10/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.10/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.10/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.10/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.10/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.10/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.10/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.10/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.10/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.10/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.10/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.10/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.10/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.10/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.10/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.10/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.10/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.10/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.10/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.10/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.10/manifest.yml b/packages/gcp/2.11.10/manifest.yml deleted file mode 100755 index 57eb59175c..0000000000 --- a/packages/gcp/2.11.10/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.10" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.2/LICENSE.txt b/packages/gcp/2.11.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.2/changelog.yml b/packages/gcp/2.11.2/changelog.yml deleted file mode 100755 index 04b85dac1e..0000000000 --- a/packages/gcp/2.11.2/changelog.yml +++ /dev/null @@ -1,259 +0,0 @@ -# newer versions go on top -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.2/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.2/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.2/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.2/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.2/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.2/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.2/data_stream/audit/manifest.yml b/packages/gcp/2.11.2/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.2/data_stream/audit/sample_event.json b/packages/gcp/2.11.2/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.2/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.2/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.2/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.2/data_stream/billing/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/gcp/2.11.2/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.2/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.2/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.2/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.2/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.2/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.2/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.2/data_stream/billing/manifest.yml b/packages/gcp/2.11.2/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.2/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.2/data_stream/billing/sample_event.json b/packages/gcp/2.11.2/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.2/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.2/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.2/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.2/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.2/data_stream/compute/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.2/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.2/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.2/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.2/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.2/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.2/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.2/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.2/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.2/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.2/data_stream/compute/manifest.yml b/packages/gcp/2.11.2/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.2/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.2/data_stream/compute/sample_event.json b/packages/gcp/2.11.2/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.2/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.2/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 97afa3e9d5..0000000000 --- a/packages/gcp/2.11.2/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,13 +0,0 @@ -metricsets: ["dataproc"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.2/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.2/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.2/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.2/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.2/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.2/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.2/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.2/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.2/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.2/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.2/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.2/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.2/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.2/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.2/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.2/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.2/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.2/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.2/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.2/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.2/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.2/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.2/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.2/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.2/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.2/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.2/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.2/data_stream/dns/manifest.yml b/packages/gcp/2.11.2/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.2/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.2/data_stream/dns/sample_event.json b/packages/gcp/2.11.2/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.2/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.2/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.2/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.2/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.2/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.2/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.2/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.2/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.2/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.2/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.2/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.2/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.2/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.2/data_stream/firestore/manifest.yml b/packages/gcp/2.11.2/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.2/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.2/data_stream/firestore/sample_event.json b/packages/gcp/2.11.2/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.2/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.2/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.2/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.2/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.2/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.2/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.2/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.2/data_stream/firewall/manifest.yml b/packages/gcp/2.11.2/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.2/data_stream/firewall/sample_event.json b/packages/gcp/2.11.2/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.2/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.2/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 43713a752d..0000000000 --- a/packages/gcp/2.11.2/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["gke"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.2/data_stream/gke/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.2/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.2/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.2/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.2/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.2/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.2/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.2/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.2/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.2/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.2/data_stream/gke/manifest.yml b/packages/gcp/2.11.2/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.2/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.2/data_stream/gke/sample_event.json b/packages/gcp/2.11.2/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.2/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.2/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index f10556ac50..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,214 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.2/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 0afe006419..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["loadbalancing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 74c9ca6043..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.2/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.2/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 7bd32a16a4..0000000000 --- a/packages/gcp/2.11.2/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["pubsub"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.2/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.2/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.2/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.2/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.2/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.2/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.2/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.2/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.2/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.2/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.2/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.2/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.2/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.2/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.2/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.2/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.2/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.2/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index 35bdb8482b..0000000000 --- a/packages/gcp/2.11.2/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["storage"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.2/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.2/data_stream/storage/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.2/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.2/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.2/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.2/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.2/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.2/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.2/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.2/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.2/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.2/data_stream/storage/manifest.yml b/packages/gcp/2.11.2/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.2/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.2/data_stream/storage/sample_event.json b/packages/gcp/2.11.2/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.2/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.2/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.2/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.2/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.2/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.2/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.2/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.2/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.2/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.2/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/docs/README.md b/packages/gcp/2.11.2/docs/README.md deleted file mode 100755 index d2788c2ffd..0000000000 --- a/packages/gcp/2.11.2/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.2/docs/audit.md b/packages/gcp/2.11.2/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.2/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.2/docs/billing.md b/packages/gcp/2.11.2/docs/billing.md deleted file mode 100755 index 30701286fe..0000000000 --- a/packages/gcp/2.11.2/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.2/docs/compute.md b/packages/gcp/2.11.2/docs/compute.md deleted file mode 100755 index f44bacd928..0000000000 --- a/packages/gcp/2.11.2/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.2/docs/dataproc.md b/packages/gcp/2.11.2/docs/dataproc.md deleted file mode 100755 index acfb02d2d1..0000000000 --- a/packages/gcp/2.11.2/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.2/docs/dns.md b/packages/gcp/2.11.2/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.2/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.2/docs/firestore.md b/packages/gcp/2.11.2/docs/firestore.md deleted file mode 100755 index 71627a4718..0000000000 --- a/packages/gcp/2.11.2/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.2/docs/firewall.md b/packages/gcp/2.11.2/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.2/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.2/docs/gke.md b/packages/gcp/2.11.2/docs/gke.md deleted file mode 100755 index 367fcec297..0000000000 --- a/packages/gcp/2.11.2/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.2/docs/loadbalancing.md b/packages/gcp/2.11.2/docs/loadbalancing.md deleted file mode 100755 index dd9376bf00..0000000000 --- a/packages/gcp/2.11.2/docs/loadbalancing.md +++ /dev/null @@ -1,387 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.2/docs/pubsub.md b/packages/gcp/2.11.2/docs/pubsub.md deleted file mode 100755 index eaa2b29e3d..0000000000 --- a/packages/gcp/2.11.2/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.2/docs/storage.md b/packages/gcp/2.11.2/docs/storage.md deleted file mode 100755 index 690d821c5b..0000000000 --- a/packages/gcp/2.11.2/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.2/docs/vpcflow.md b/packages/gcp/2.11.2/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.2/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.2/img/filebeat-gcp-audit.png b/packages/gcp/2.11.2/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.2/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.2/img/gcp-billing.png b/packages/gcp/2.11.2/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.2/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.2/img/gcp-compute.png b/packages/gcp/2.11.2/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.2/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.2/img/logo_gcp.svg b/packages/gcp/2.11.2/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.2/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.2/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.2/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.2/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.2/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.2/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.2/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.2/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.2/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.2/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.2/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.2/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.2/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.2/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.2/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.2/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.2/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.2/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.2/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.2/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.2/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.2/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.2/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.2/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.2/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.2/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.2/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.2/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.2/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.2/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.2/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.2/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.2/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.2/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.2/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.2/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.2/manifest.yml b/packages/gcp/2.11.2/manifest.yml deleted file mode 100755 index e46ca465ce..0000000000 --- a/packages/gcp/2.11.2/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.2" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.3/LICENSE.txt b/packages/gcp/2.11.3/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.3/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.3/changelog.yml b/packages/gcp/2.11.3/changelog.yml deleted file mode 100755 index 900c276e71..0000000000 --- a/packages/gcp/2.11.3/changelog.yml +++ /dev/null @@ -1,264 +0,0 @@ -# newer versions go on top -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.3/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.3/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.3/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.3/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.3/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.3/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.3/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.3/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.3/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.3/data_stream/audit/manifest.yml b/packages/gcp/2.11.3/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.3/data_stream/audit/sample_event.json b/packages/gcp/2.11.3/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.3/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.3/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.3/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.3/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.3/data_stream/billing/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/gcp/2.11.3/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.3/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.3/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.3/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.3/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.3/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.3/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.3/data_stream/billing/manifest.yml b/packages/gcp/2.11.3/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.3/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.3/data_stream/billing/sample_event.json b/packages/gcp/2.11.3/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.3/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.3/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.3/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.3/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.3/data_stream/compute/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.3/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.3/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.3/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.3/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.3/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.3/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.3/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.3/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.3/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.3/data_stream/compute/manifest.yml b/packages/gcp/2.11.3/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.3/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.3/data_stream/compute/sample_event.json b/packages/gcp/2.11.3/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.3/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.3/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 97afa3e9d5..0000000000 --- a/packages/gcp/2.11.3/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,13 +0,0 @@ -metricsets: ["dataproc"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.3/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.3/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.3/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.3/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.3/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.3/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.3/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.3/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.3/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.3/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.3/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.3/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.3/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.3/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.3/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.3/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.3/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.3/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.3/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.3/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.3/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.3/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.3/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.3/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.3/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.3/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.3/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.3/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.3/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.3/data_stream/dns/manifest.yml b/packages/gcp/2.11.3/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.3/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.3/data_stream/dns/sample_event.json b/packages/gcp/2.11.3/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.3/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.3/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.3/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.3/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.3/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.3/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.3/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.3/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.3/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.3/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.3/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.3/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.3/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.3/data_stream/firestore/manifest.yml b/packages/gcp/2.11.3/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.3/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.3/data_stream/firestore/sample_event.json b/packages/gcp/2.11.3/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.3/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.3/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.3/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.3/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.3/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.3/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.3/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.3/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.3/data_stream/firewall/manifest.yml b/packages/gcp/2.11.3/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.3/data_stream/firewall/sample_event.json b/packages/gcp/2.11.3/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.3/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.3/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 5d212d9c02..0000000000 --- a/packages/gcp/2.11.3/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.3/data_stream/gke/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.3/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.3/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.3/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.3/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.3/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.3/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.3/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.3/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.3/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.3/data_stream/gke/manifest.yml b/packages/gcp/2.11.3/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.3/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.3/data_stream/gke/sample_event.json b/packages/gcp/2.11.3/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.3/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.3/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index f10556ac50..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,214 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.3/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 0afe006419..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["loadbalancing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 74c9ca6043..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.3/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.3/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 7bd32a16a4..0000000000 --- a/packages/gcp/2.11.3/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["pubsub"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.3/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.3/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.3/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.3/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.3/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.3/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.3/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.3/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.3/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.3/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.3/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.3/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.3/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.3/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.3/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.3/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.3/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.3/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index 35bdb8482b..0000000000 --- a/packages/gcp/2.11.3/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["storage"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.3/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.3/data_stream/storage/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.3/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.3/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.3/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.3/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.3/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.3/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.3/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.3/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.3/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.3/data_stream/storage/manifest.yml b/packages/gcp/2.11.3/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.3/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.3/data_stream/storage/sample_event.json b/packages/gcp/2.11.3/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.3/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.3/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.3/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.3/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.3/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.3/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.3/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.3/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.3/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.3/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.3/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.3/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/docs/README.md b/packages/gcp/2.11.3/docs/README.md deleted file mode 100755 index d2788c2ffd..0000000000 --- a/packages/gcp/2.11.3/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.3/docs/audit.md b/packages/gcp/2.11.3/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.3/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.3/docs/billing.md b/packages/gcp/2.11.3/docs/billing.md deleted file mode 100755 index 30701286fe..0000000000 --- a/packages/gcp/2.11.3/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.3/docs/compute.md b/packages/gcp/2.11.3/docs/compute.md deleted file mode 100755 index f44bacd928..0000000000 --- a/packages/gcp/2.11.3/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.3/docs/dataproc.md b/packages/gcp/2.11.3/docs/dataproc.md deleted file mode 100755 index acfb02d2d1..0000000000 --- a/packages/gcp/2.11.3/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.3/docs/dns.md b/packages/gcp/2.11.3/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.3/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.3/docs/firestore.md b/packages/gcp/2.11.3/docs/firestore.md deleted file mode 100755 index 71627a4718..0000000000 --- a/packages/gcp/2.11.3/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.3/docs/firewall.md b/packages/gcp/2.11.3/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.3/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.3/docs/gke.md b/packages/gcp/2.11.3/docs/gke.md deleted file mode 100755 index 367fcec297..0000000000 --- a/packages/gcp/2.11.3/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.3/docs/loadbalancing.md b/packages/gcp/2.11.3/docs/loadbalancing.md deleted file mode 100755 index dd9376bf00..0000000000 --- a/packages/gcp/2.11.3/docs/loadbalancing.md +++ /dev/null @@ -1,387 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.3/docs/pubsub.md b/packages/gcp/2.11.3/docs/pubsub.md deleted file mode 100755 index eaa2b29e3d..0000000000 --- a/packages/gcp/2.11.3/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.3/docs/storage.md b/packages/gcp/2.11.3/docs/storage.md deleted file mode 100755 index 690d821c5b..0000000000 --- a/packages/gcp/2.11.3/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.3/docs/vpcflow.md b/packages/gcp/2.11.3/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.3/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.3/img/filebeat-gcp-audit.png b/packages/gcp/2.11.3/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.3/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.3/img/gcp-billing.png b/packages/gcp/2.11.3/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.3/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.3/img/gcp-compute.png b/packages/gcp/2.11.3/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.3/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.3/img/logo_gcp.svg b/packages/gcp/2.11.3/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.3/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.3/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.3/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.3/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.3/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.3/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.3/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.3/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.3/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.3/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.3/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.3/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.3/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.3/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.3/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.3/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.3/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.3/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.3/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.3/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.3/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.3/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.3/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.3/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.3/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.3/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.3/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.3/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.3/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.3/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.3/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.3/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.3/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.3/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.3/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.3/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.3/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.3/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.3/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.3/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.3/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.3/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.3/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.3/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.3/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.3/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.3/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.3/manifest.yml b/packages/gcp/2.11.3/manifest.yml deleted file mode 100755 index 2b52a61283..0000000000 --- a/packages/gcp/2.11.3/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.3" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.4/LICENSE.txt b/packages/gcp/2.11.4/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.4/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.4/changelog.yml b/packages/gcp/2.11.4/changelog.yml deleted file mode 100755 index e41234f1ea..0000000000 --- a/packages/gcp/2.11.4/changelog.yml +++ /dev/null @@ -1,269 +0,0 @@ -# newer versions go on top -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.4/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.4/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.4/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.4/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.4/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.4/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.4/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.4/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.4/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.4/data_stream/audit/manifest.yml b/packages/gcp/2.11.4/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.4/data_stream/audit/sample_event.json b/packages/gcp/2.11.4/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.4/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.4/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.4/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.4/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.4/data_stream/billing/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/gcp/2.11.4/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.4/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.4/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.4/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.4/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.4/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.4/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.4/data_stream/billing/manifest.yml b/packages/gcp/2.11.4/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.4/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.4/data_stream/billing/sample_event.json b/packages/gcp/2.11.4/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.4/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.4/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.4/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.4/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.4/data_stream/compute/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.4/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.4/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.4/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.4/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.4/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.4/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.4/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.4/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.4/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.4/data_stream/compute/manifest.yml b/packages/gcp/2.11.4/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.4/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.4/data_stream/compute/sample_event.json b/packages/gcp/2.11.4/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.4/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.4/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 97afa3e9d5..0000000000 --- a/packages/gcp/2.11.4/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,13 +0,0 @@ -metricsets: ["dataproc"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.4/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.4/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.4/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.4/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.4/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.4/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.4/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.4/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.4/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.4/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.4/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.4/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.4/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.4/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.4/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.4/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.4/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.4/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.4/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.4/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.4/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.4/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.4/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.4/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.4/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.4/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.4/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.4/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.4/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.4/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.4/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.4/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.4/data_stream/dns/manifest.yml b/packages/gcp/2.11.4/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.4/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.4/data_stream/dns/sample_event.json b/packages/gcp/2.11.4/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.4/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.4/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.4/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.4/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.4/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.4/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.4/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.4/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.4/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.4/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.4/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.4/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.4/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.4/data_stream/firestore/manifest.yml b/packages/gcp/2.11.4/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.4/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.4/data_stream/firestore/sample_event.json b/packages/gcp/2.11.4/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.4/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.4/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.4/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.4/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.4/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.4/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.4/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.4/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.4/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.4/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.4/data_stream/firewall/manifest.yml b/packages/gcp/2.11.4/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.4/data_stream/firewall/sample_event.json b/packages/gcp/2.11.4/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.4/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.4/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 5d212d9c02..0000000000 --- a/packages/gcp/2.11.4/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.4/data_stream/gke/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.4/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.4/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.4/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.4/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.4/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.4/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.4/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.4/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.4/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.4/data_stream/gke/manifest.yml b/packages/gcp/2.11.4/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.4/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.4/data_stream/gke/sample_event.json b/packages/gcp/2.11.4/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.4/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.4/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index f10556ac50..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,214 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.4/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 0afe006419..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["loadbalancing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 74c9ca6043..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.4/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.4/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.4/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.4/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.4/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.4/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.4/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.4/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.4/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.4/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.4/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.4/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.4/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.4/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.4/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.4/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.4/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.4/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.4/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.4/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index 35bdb8482b..0000000000 --- a/packages/gcp/2.11.4/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["storage"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.4/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.4/data_stream/storage/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.4/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.4/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.4/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.4/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.4/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.4/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.4/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.4/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.4/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.4/data_stream/storage/manifest.yml b/packages/gcp/2.11.4/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.4/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.4/data_stream/storage/sample_event.json b/packages/gcp/2.11.4/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.4/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.4/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.4/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.4/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.4/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.4/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.4/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.4/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.4/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.4/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.4/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/docs/README.md b/packages/gcp/2.11.4/docs/README.md deleted file mode 100755 index d2788c2ffd..0000000000 --- a/packages/gcp/2.11.4/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.4/docs/audit.md b/packages/gcp/2.11.4/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.4/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.4/docs/billing.md b/packages/gcp/2.11.4/docs/billing.md deleted file mode 100755 index 30701286fe..0000000000 --- a/packages/gcp/2.11.4/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.4/docs/compute.md b/packages/gcp/2.11.4/docs/compute.md deleted file mode 100755 index f44bacd928..0000000000 --- a/packages/gcp/2.11.4/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.4/docs/dataproc.md b/packages/gcp/2.11.4/docs/dataproc.md deleted file mode 100755 index acfb02d2d1..0000000000 --- a/packages/gcp/2.11.4/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.4/docs/dns.md b/packages/gcp/2.11.4/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.4/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.4/docs/firestore.md b/packages/gcp/2.11.4/docs/firestore.md deleted file mode 100755 index 71627a4718..0000000000 --- a/packages/gcp/2.11.4/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.4/docs/firewall.md b/packages/gcp/2.11.4/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.4/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.4/docs/gke.md b/packages/gcp/2.11.4/docs/gke.md deleted file mode 100755 index 367fcec297..0000000000 --- a/packages/gcp/2.11.4/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.4/docs/loadbalancing.md b/packages/gcp/2.11.4/docs/loadbalancing.md deleted file mode 100755 index dd9376bf00..0000000000 --- a/packages/gcp/2.11.4/docs/loadbalancing.md +++ /dev/null @@ -1,387 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.4/docs/pubsub.md b/packages/gcp/2.11.4/docs/pubsub.md deleted file mode 100755 index eaa2b29e3d..0000000000 --- a/packages/gcp/2.11.4/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.4/docs/storage.md b/packages/gcp/2.11.4/docs/storage.md deleted file mode 100755 index 690d821c5b..0000000000 --- a/packages/gcp/2.11.4/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.4/docs/vpcflow.md b/packages/gcp/2.11.4/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.4/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.4/img/filebeat-gcp-audit.png b/packages/gcp/2.11.4/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.4/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.4/img/gcp-billing.png b/packages/gcp/2.11.4/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.4/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.4/img/gcp-compute.png b/packages/gcp/2.11.4/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.4/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.4/img/logo_gcp.svg b/packages/gcp/2.11.4/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.4/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.4/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.4/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.4/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.4/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.4/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.4/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.4/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.4/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.4/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.4/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.4/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.4/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.4/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.4/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.4/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.4/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.4/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.4/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.4/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.4/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.4/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.4/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.4/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.4/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.4/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.4/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.4/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.4/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.4/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.4/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.4/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.4/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.4/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.4/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.4/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.4/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.4/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.4/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.4/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.4/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.4/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.4/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.4/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.4/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.4/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.4/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.4/manifest.yml b/packages/gcp/2.11.4/manifest.yml deleted file mode 100755 index decbf5da62..0000000000 --- a/packages/gcp/2.11.4/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.4" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.5/LICENSE.txt b/packages/gcp/2.11.5/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.5/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.5/changelog.yml b/packages/gcp/2.11.5/changelog.yml deleted file mode 100755 index bad4a319b0..0000000000 --- a/packages/gcp/2.11.5/changelog.yml +++ /dev/null @@ -1,277 +0,0 @@ -# newer versions go on top -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.5/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.5/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.5/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.5/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.5/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.5/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.5/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.5/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.5/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.5/data_stream/audit/manifest.yml b/packages/gcp/2.11.5/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.5/data_stream/audit/sample_event.json b/packages/gcp/2.11.5/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.5/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.5/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.5/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.5/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.5/data_stream/billing/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/gcp/2.11.5/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.5/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.5/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.5/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.5/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.5/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.5/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.5/data_stream/billing/manifest.yml b/packages/gcp/2.11.5/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.5/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.5/data_stream/billing/sample_event.json b/packages/gcp/2.11.5/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.5/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.5/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.5/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.5/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.5/data_stream/compute/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.5/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.5/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.5/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.5/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.5/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.5/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.5/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.5/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.5/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.5/data_stream/compute/manifest.yml b/packages/gcp/2.11.5/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.5/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.5/data_stream/compute/sample_event.json b/packages/gcp/2.11.5/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.5/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.5/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 97afa3e9d5..0000000000 --- a/packages/gcp/2.11.5/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,13 +0,0 @@ -metricsets: ["dataproc"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.5/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.5/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.5/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.5/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.5/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.5/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.5/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.5/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.5/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.5/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.5/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.5/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.5/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.5/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.5/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.5/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.5/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.5/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.5/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.5/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.5/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.5/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.5/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.5/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.5/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.5/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.5/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.5/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.5/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.5/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.5/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.5/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.5/data_stream/dns/manifest.yml b/packages/gcp/2.11.5/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.5/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.5/data_stream/dns/sample_event.json b/packages/gcp/2.11.5/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.5/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.5/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.5/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.5/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.5/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.5/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.5/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.5/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.5/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.5/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.5/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.5/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.5/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.5/data_stream/firestore/manifest.yml b/packages/gcp/2.11.5/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.5/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.5/data_stream/firestore/sample_event.json b/packages/gcp/2.11.5/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.5/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.5/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.5/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.5/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.5/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.5/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.5/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.5/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.5/data_stream/firewall/manifest.yml b/packages/gcp/2.11.5/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.5/data_stream/firewall/sample_event.json b/packages/gcp/2.11.5/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.5/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.5/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 5d212d9c02..0000000000 --- a/packages/gcp/2.11.5/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.5/data_stream/gke/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.5/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.5/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.5/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.5/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.5/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.5/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.5/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.5/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.5/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.5/data_stream/gke/manifest.yml b/packages/gcp/2.11.5/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.5/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.5/data_stream/gke/sample_event.json b/packages/gcp/2.11.5/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.5/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.5/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index f10556ac50..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,214 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.5/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 0afe006419..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["loadbalancing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.5/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.5/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.5/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.5/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.5/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.5/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.5/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.5/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.5/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.5/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.5/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.5/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.5/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.5/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.5/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.5/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.5/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.5/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.5/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.5/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.5/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.5/data_stream/storage/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.5/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.5/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.5/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.5/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.5/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.5/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.5/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.5/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.5/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.5/data_stream/storage/manifest.yml b/packages/gcp/2.11.5/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.5/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.5/data_stream/storage/sample_event.json b/packages/gcp/2.11.5/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.5/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.5/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.5/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.5/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.5/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.5/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.5/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.5/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.5/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.5/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.5/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.5/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/docs/README.md b/packages/gcp/2.11.5/docs/README.md deleted file mode 100755 index d2788c2ffd..0000000000 --- a/packages/gcp/2.11.5/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.5/docs/audit.md b/packages/gcp/2.11.5/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.5/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.5/docs/billing.md b/packages/gcp/2.11.5/docs/billing.md deleted file mode 100755 index 30701286fe..0000000000 --- a/packages/gcp/2.11.5/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.5/docs/compute.md b/packages/gcp/2.11.5/docs/compute.md deleted file mode 100755 index f44bacd928..0000000000 --- a/packages/gcp/2.11.5/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.5/docs/dataproc.md b/packages/gcp/2.11.5/docs/dataproc.md deleted file mode 100755 index acfb02d2d1..0000000000 --- a/packages/gcp/2.11.5/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.5/docs/dns.md b/packages/gcp/2.11.5/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.5/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.5/docs/firestore.md b/packages/gcp/2.11.5/docs/firestore.md deleted file mode 100755 index 71627a4718..0000000000 --- a/packages/gcp/2.11.5/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.5/docs/firewall.md b/packages/gcp/2.11.5/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.5/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.5/docs/gke.md b/packages/gcp/2.11.5/docs/gke.md deleted file mode 100755 index 367fcec297..0000000000 --- a/packages/gcp/2.11.5/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.5/docs/loadbalancing.md b/packages/gcp/2.11.5/docs/loadbalancing.md deleted file mode 100755 index ed197598a2..0000000000 --- a/packages/gcp/2.11.5/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.5/docs/pubsub.md b/packages/gcp/2.11.5/docs/pubsub.md deleted file mode 100755 index eaa2b29e3d..0000000000 --- a/packages/gcp/2.11.5/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.5/docs/storage.md b/packages/gcp/2.11.5/docs/storage.md deleted file mode 100755 index 690d821c5b..0000000000 --- a/packages/gcp/2.11.5/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.5/docs/vpcflow.md b/packages/gcp/2.11.5/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.5/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.5/img/filebeat-gcp-audit.png b/packages/gcp/2.11.5/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.5/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.5/img/gcp-billing.png b/packages/gcp/2.11.5/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.5/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.5/img/gcp-compute.png b/packages/gcp/2.11.5/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.5/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.5/img/logo_gcp.svg b/packages/gcp/2.11.5/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.5/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.5/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.5/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.5/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.5/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.5/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.5/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.5/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.5/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.5/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.5/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.5/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.5/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.5/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.5/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.5/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.5/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.5/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.5/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.5/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.5/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.5/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.5/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.5/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.5/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.5/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.5/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.5/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.5/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.5/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.5/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.5/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.5/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.5/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.5/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.5/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.5/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.5/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.5/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.5/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.5/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.5/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.5/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.5/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.5/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.5/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.5/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.5/manifest.yml b/packages/gcp/2.11.5/manifest.yml deleted file mode 100755 index 6a76130ea2..0000000000 --- a/packages/gcp/2.11.5/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.5" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.6/LICENSE.txt b/packages/gcp/2.11.6/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.6/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.6/changelog.yml b/packages/gcp/2.11.6/changelog.yml deleted file mode 100755 index f13caa176d..0000000000 --- a/packages/gcp/2.11.6/changelog.yml +++ /dev/null @@ -1,282 +0,0 @@ -# newer versions go on top -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.6/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.6/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.6/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.6/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.6/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.6/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.6/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.6/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.6/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.6/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.6/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.6/data_stream/audit/manifest.yml b/packages/gcp/2.11.6/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.6/data_stream/audit/sample_event.json b/packages/gcp/2.11.6/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.6/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.6/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.6/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.6/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.6/data_stream/billing/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/gcp/2.11.6/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.6/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.6/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.6/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.6/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.6/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.6/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.6/data_stream/billing/manifest.yml b/packages/gcp/2.11.6/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.6/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.6/data_stream/billing/sample_event.json b/packages/gcp/2.11.6/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.6/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.6/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.6/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.6/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.6/data_stream/compute/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.6/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.6/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.6/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.6/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.6/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.6/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.6/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.6/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.6/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.6/data_stream/compute/manifest.yml b/packages/gcp/2.11.6/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.6/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.6/data_stream/compute/sample_event.json b/packages/gcp/2.11.6/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.6/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.6/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 97afa3e9d5..0000000000 --- a/packages/gcp/2.11.6/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,13 +0,0 @@ -metricsets: ["dataproc"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} diff --git a/packages/gcp/2.11.6/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.6/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.6/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.6/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.6/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.6/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.6/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.6/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.6/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.6/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.6/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.6/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.6/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.6/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.6/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.6/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.6/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.6/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.6/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.6/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.6/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.6/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.6/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.6/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.6/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.6/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.6/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.6/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.6/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.6/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.6/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.6/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.6/data_stream/dns/manifest.yml b/packages/gcp/2.11.6/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.6/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.6/data_stream/dns/sample_event.json b/packages/gcp/2.11.6/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.6/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.6/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.6/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.6/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.6/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.6/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.6/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.6/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.6/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.6/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.6/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.6/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.6/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.6/data_stream/firestore/manifest.yml b/packages/gcp/2.11.6/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.6/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.6/data_stream/firestore/sample_event.json b/packages/gcp/2.11.6/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.6/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.6/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.6/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.6/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.6/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.6/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.6/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.6/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.6/data_stream/firewall/manifest.yml b/packages/gcp/2.11.6/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.6/data_stream/firewall/sample_event.json b/packages/gcp/2.11.6/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.6/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.6/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 5d212d9c02..0000000000 --- a/packages/gcp/2.11.6/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.6/data_stream/gke/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.6/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.6/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.6/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.6/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.6/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.6/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.6/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.6/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.6/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.6/data_stream/gke/manifest.yml b/packages/gcp/2.11.6/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.6/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.6/data_stream/gke/sample_event.json b/packages/gcp/2.11.6/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.6/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.6/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index f10556ac50..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,214 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.6/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.6/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.6/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.6/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.6/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.6/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.6/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.6/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.6/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.6/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.6/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.6/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.6/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.6/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.6/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.6/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.6/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.6/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.6/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.6/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.6/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.6/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.6/data_stream/storage/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.6/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.6/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.6/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.6/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.6/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.6/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.6/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.6/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.6/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.6/data_stream/storage/manifest.yml b/packages/gcp/2.11.6/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.6/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.6/data_stream/storage/sample_event.json b/packages/gcp/2.11.6/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.6/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.6/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.6/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.6/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.6/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.6/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.6/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.6/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.6/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.6/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.6/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.6/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/docs/README.md b/packages/gcp/2.11.6/docs/README.md deleted file mode 100755 index d2788c2ffd..0000000000 --- a/packages/gcp/2.11.6/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.6/docs/audit.md b/packages/gcp/2.11.6/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.6/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.6/docs/billing.md b/packages/gcp/2.11.6/docs/billing.md deleted file mode 100755 index 30701286fe..0000000000 --- a/packages/gcp/2.11.6/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.6/docs/compute.md b/packages/gcp/2.11.6/docs/compute.md deleted file mode 100755 index f44bacd928..0000000000 --- a/packages/gcp/2.11.6/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.6/docs/dataproc.md b/packages/gcp/2.11.6/docs/dataproc.md deleted file mode 100755 index acfb02d2d1..0000000000 --- a/packages/gcp/2.11.6/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.6/docs/dns.md b/packages/gcp/2.11.6/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.6/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.6/docs/firestore.md b/packages/gcp/2.11.6/docs/firestore.md deleted file mode 100755 index 71627a4718..0000000000 --- a/packages/gcp/2.11.6/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.6/docs/firewall.md b/packages/gcp/2.11.6/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.6/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.6/docs/gke.md b/packages/gcp/2.11.6/docs/gke.md deleted file mode 100755 index 367fcec297..0000000000 --- a/packages/gcp/2.11.6/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.6/docs/loadbalancing.md b/packages/gcp/2.11.6/docs/loadbalancing.md deleted file mode 100755 index ed197598a2..0000000000 --- a/packages/gcp/2.11.6/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.6/docs/pubsub.md b/packages/gcp/2.11.6/docs/pubsub.md deleted file mode 100755 index eaa2b29e3d..0000000000 --- a/packages/gcp/2.11.6/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.6/docs/storage.md b/packages/gcp/2.11.6/docs/storage.md deleted file mode 100755 index 690d821c5b..0000000000 --- a/packages/gcp/2.11.6/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.6/docs/vpcflow.md b/packages/gcp/2.11.6/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.6/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.6/img/filebeat-gcp-audit.png b/packages/gcp/2.11.6/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.6/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.6/img/gcp-billing.png b/packages/gcp/2.11.6/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.6/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.6/img/gcp-compute.png b/packages/gcp/2.11.6/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.6/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.6/img/logo_gcp.svg b/packages/gcp/2.11.6/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.6/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.6/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.6/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.6/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.6/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.6/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.6/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.6/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.6/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.6/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.6/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.6/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.6/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.6/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.6/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.6/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.6/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.6/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.6/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.6/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.6/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.6/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.6/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.6/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.6/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.6/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.6/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.6/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.6/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.6/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.6/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.6/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.6/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.6/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.6/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.6/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.6/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.6/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.6/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.6/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.6/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.6/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.6/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.6/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.6/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.6/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.6/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.6/manifest.yml b/packages/gcp/2.11.6/manifest.yml deleted file mode 100755 index e734ea40b5..0000000000 --- a/packages/gcp/2.11.6/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.6" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.7/LICENSE.txt b/packages/gcp/2.11.7/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.7/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.7/changelog.yml b/packages/gcp/2.11.7/changelog.yml deleted file mode 100755 index 1c377df53d..0000000000 --- a/packages/gcp/2.11.7/changelog.yml +++ /dev/null @@ -1,287 +0,0 @@ -# newer versions go on top -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.7/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.7/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.7/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.7/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.7/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.7/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.7/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.7/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.7/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.7/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.7/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.7/data_stream/audit/manifest.yml b/packages/gcp/2.11.7/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.7/data_stream/audit/sample_event.json b/packages/gcp/2.11.7/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.7/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.7/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.7/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.7/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.7/data_stream/billing/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/gcp/2.11.7/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.7/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.7/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.7/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.7/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.7/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.7/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.7/data_stream/billing/manifest.yml b/packages/gcp/2.11.7/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.7/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.7/data_stream/billing/sample_event.json b/packages/gcp/2.11.7/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.7/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.7/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.7/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.7/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.7/data_stream/compute/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.7/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.7/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.7/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.7/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.7/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.7/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.7/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.7/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.7/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.7/data_stream/compute/manifest.yml b/packages/gcp/2.11.7/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.7/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.7/data_stream/compute/sample_event.json b/packages/gcp/2.11.7/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.7/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.7/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.7/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.7/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.7/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.7/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.7/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.7/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.7/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.7/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.7/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.7/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.7/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.7/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.7/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.7/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.7/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.7/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.7/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.7/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.7/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.7/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.7/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.7/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.7/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.7/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.7/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.7/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.7/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.7/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.7/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.7/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.7/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.7/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.7/data_stream/dns/manifest.yml b/packages/gcp/2.11.7/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.7/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.7/data_stream/dns/sample_event.json b/packages/gcp/2.11.7/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.7/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.7/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.7/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.7/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.7/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.7/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.7/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.7/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.7/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.7/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.7/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.7/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.7/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.7/data_stream/firestore/manifest.yml b/packages/gcp/2.11.7/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.7/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.7/data_stream/firestore/sample_event.json b/packages/gcp/2.11.7/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.7/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.7/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.7/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.7/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.7/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.7/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.7/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.7/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.7/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.7/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.7/data_stream/firewall/manifest.yml b/packages/gcp/2.11.7/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.7/data_stream/firewall/sample_event.json b/packages/gcp/2.11.7/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.7/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.7/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 5d212d9c02..0000000000 --- a/packages/gcp/2.11.7/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.7/data_stream/gke/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.7/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.7/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.7/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.7/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.7/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.7/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.7/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.7/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.7/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.7/data_stream/gke/manifest.yml b/packages/gcp/2.11.7/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.7/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.7/data_stream/gke/sample_event.json b/packages/gcp/2.11.7/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.7/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.7/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index f10556ac50..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,214 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.7/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.7/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.7/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.7/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.7/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.7/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.7/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.7/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.7/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.7/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.7/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.7/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.7/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.7/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.7/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.7/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.7/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.7/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.7/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.7/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.7/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.7/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.7/data_stream/storage/fields/agent.yml deleted file mode 100755 index 2a31d79f49..0000000000 --- a/packages/gcp/2.11.7/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.7/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.7/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.7/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.7/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.7/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.7/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.7/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.7/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.7/data_stream/storage/manifest.yml b/packages/gcp/2.11.7/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.7/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.7/data_stream/storage/sample_event.json b/packages/gcp/2.11.7/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.7/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.7/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.7/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.7/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.7/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.7/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.7/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.7/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.7/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.7/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.7/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.7/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/docs/README.md b/packages/gcp/2.11.7/docs/README.md deleted file mode 100755 index d2788c2ffd..0000000000 --- a/packages/gcp/2.11.7/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.7/docs/audit.md b/packages/gcp/2.11.7/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.7/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.7/docs/billing.md b/packages/gcp/2.11.7/docs/billing.md deleted file mode 100755 index 30701286fe..0000000000 --- a/packages/gcp/2.11.7/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.7/docs/compute.md b/packages/gcp/2.11.7/docs/compute.md deleted file mode 100755 index f44bacd928..0000000000 --- a/packages/gcp/2.11.7/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.7/docs/dataproc.md b/packages/gcp/2.11.7/docs/dataproc.md deleted file mode 100755 index acfb02d2d1..0000000000 --- a/packages/gcp/2.11.7/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.7/docs/dns.md b/packages/gcp/2.11.7/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.7/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.7/docs/firestore.md b/packages/gcp/2.11.7/docs/firestore.md deleted file mode 100755 index 71627a4718..0000000000 --- a/packages/gcp/2.11.7/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.7/docs/firewall.md b/packages/gcp/2.11.7/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.7/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.7/docs/gke.md b/packages/gcp/2.11.7/docs/gke.md deleted file mode 100755 index 367fcec297..0000000000 --- a/packages/gcp/2.11.7/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.7/docs/loadbalancing.md b/packages/gcp/2.11.7/docs/loadbalancing.md deleted file mode 100755 index ed197598a2..0000000000 --- a/packages/gcp/2.11.7/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.7/docs/pubsub.md b/packages/gcp/2.11.7/docs/pubsub.md deleted file mode 100755 index eaa2b29e3d..0000000000 --- a/packages/gcp/2.11.7/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.7/docs/storage.md b/packages/gcp/2.11.7/docs/storage.md deleted file mode 100755 index 690d821c5b..0000000000 --- a/packages/gcp/2.11.7/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.7/docs/vpcflow.md b/packages/gcp/2.11.7/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.7/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.7/img/filebeat-gcp-audit.png b/packages/gcp/2.11.7/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.7/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.7/img/gcp-billing.png b/packages/gcp/2.11.7/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.7/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.7/img/gcp-compute.png b/packages/gcp/2.11.7/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.7/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.7/img/logo_gcp.svg b/packages/gcp/2.11.7/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.7/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.7/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.7/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.7/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.7/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.7/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.7/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.7/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.7/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.7/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.7/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.7/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.7/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.7/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.7/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.7/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.7/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.7/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.7/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.7/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.7/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.7/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.7/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.7/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.7/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.7/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.7/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.7/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.7/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.7/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.7/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.7/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.7/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.7/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.7/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.7/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.7/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.7/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.7/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.7/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.7/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.7/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.7/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.7/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.7/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.7/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.7/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.7/manifest.yml b/packages/gcp/2.11.7/manifest.yml deleted file mode 100755 index 8b56ba6408..0000000000 --- a/packages/gcp/2.11.7/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.7" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.8/LICENSE.txt b/packages/gcp/2.11.8/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.8/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.8/changelog.yml b/packages/gcp/2.11.8/changelog.yml deleted file mode 100755 index ff4e8ba61d..0000000000 --- a/packages/gcp/2.11.8/changelog.yml +++ /dev/null @@ -1,292 +0,0 @@ -# newer versions go on top -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.8/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.8/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.8/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.8/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.8/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.8/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.8/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.8/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.8/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.8/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.8/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.8/data_stream/audit/manifest.yml b/packages/gcp/2.11.8/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.8/data_stream/audit/sample_event.json b/packages/gcp/2.11.8/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.8/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.8/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.8/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.8/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.8/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.8/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.8/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.8/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.8/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.8/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.8/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.8/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.8/data_stream/billing/manifest.yml b/packages/gcp/2.11.8/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.8/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.8/data_stream/billing/sample_event.json b/packages/gcp/2.11.8/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.8/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.8/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.8/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.8/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.8/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.8/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.8/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.8/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.8/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.8/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.8/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.8/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.8/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.8/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.8/data_stream/compute/manifest.yml b/packages/gcp/2.11.8/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.8/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.8/data_stream/compute/sample_event.json b/packages/gcp/2.11.8/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.8/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.8/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.8/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.8/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.8/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.8/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.8/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.8/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.8/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.8/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.8/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.8/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.8/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.8/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.8/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.8/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.8/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.8/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.8/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.8/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.8/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.8/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.8/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.8/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.8/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.8/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.8/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.8/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.8/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.8/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.8/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.8/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.8/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.8/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.8/data_stream/dns/manifest.yml b/packages/gcp/2.11.8/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.8/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.8/data_stream/dns/sample_event.json b/packages/gcp/2.11.8/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.8/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.8/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.8/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.8/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.8/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.8/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.8/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.8/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.8/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.8/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.8/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.8/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.8/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.8/data_stream/firestore/manifest.yml b/packages/gcp/2.11.8/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.8/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.8/data_stream/firestore/sample_event.json b/packages/gcp/2.11.8/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.8/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.8/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.8/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.8/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.8/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.8/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.8/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.8/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.8/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.8/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.8/data_stream/firewall/manifest.yml b/packages/gcp/2.11.8/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.8/data_stream/firewall/sample_event.json b/packages/gcp/2.11.8/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.8/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.8/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 5d212d9c02..0000000000 --- a/packages/gcp/2.11.8/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.8/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.8/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.8/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.8/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.8/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.8/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.8/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.8/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.8/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.8/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.8/data_stream/gke/manifest.yml b/packages/gcp/2.11.8/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.8/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.8/data_stream/gke/sample_event.json b/packages/gcp/2.11.8/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.8/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.8/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.8/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.8/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.8/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.8/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.8/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.8/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.8/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.8/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.8/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.8/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.8/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.8/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.8/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.8/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.8/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.8/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.8/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.8/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.8/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.8/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.8/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.8/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.8/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.8/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.8/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.8/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.8/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.8/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.8/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.8/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.8/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.8/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.8/data_stream/storage/manifest.yml b/packages/gcp/2.11.8/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.8/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.8/data_stream/storage/sample_event.json b/packages/gcp/2.11.8/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.8/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.8/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.8/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.8/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.8/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.8/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.8/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.8/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.8/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.8/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.8/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.8/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/docs/README.md b/packages/gcp/2.11.8/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.8/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.8/docs/audit.md b/packages/gcp/2.11.8/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.8/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.8/docs/billing.md b/packages/gcp/2.11.8/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.8/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.8/docs/compute.md b/packages/gcp/2.11.8/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.8/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.8/docs/dataproc.md b/packages/gcp/2.11.8/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.8/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.8/docs/dns.md b/packages/gcp/2.11.8/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.8/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.8/docs/firestore.md b/packages/gcp/2.11.8/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.8/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.8/docs/firewall.md b/packages/gcp/2.11.8/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.8/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.8/docs/gke.md b/packages/gcp/2.11.8/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.8/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.8/docs/loadbalancing.md b/packages/gcp/2.11.8/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.8/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.8/docs/pubsub.md b/packages/gcp/2.11.8/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.8/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.8/docs/storage.md b/packages/gcp/2.11.8/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.8/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.8/docs/vpcflow.md b/packages/gcp/2.11.8/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.8/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.8/img/filebeat-gcp-audit.png b/packages/gcp/2.11.8/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.8/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.8/img/gcp-billing.png b/packages/gcp/2.11.8/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.8/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.8/img/gcp-compute.png b/packages/gcp/2.11.8/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.8/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.8/img/logo_gcp.svg b/packages/gcp/2.11.8/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.8/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.8/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.8/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.8/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.8/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.8/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.8/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.8/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.8/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.8/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.8/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.8/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.8/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.8/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.8/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.8/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.8/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.8/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.8/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.8/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.8/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.8/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.8/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.8/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.8/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.8/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.8/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.8/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.8/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.8/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.8/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.8/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.8/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.8/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.8/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.8/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.8/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.8/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.8/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.8/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.8/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.8/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.8/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.8/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.8/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.8/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.8/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.8/manifest.yml b/packages/gcp/2.11.8/manifest.yml deleted file mode 100755 index 0cbc0ec7c0..0000000000 --- a/packages/gcp/2.11.8/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.8" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/2.11.9/LICENSE.txt b/packages/gcp/2.11.9/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/gcp/2.11.9/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.11.9/changelog.yml b/packages/gcp/2.11.9/changelog.yml deleted file mode 100755 index 0c13f282a0..0000000000 --- a/packages/gcp/2.11.9/changelog.yml +++ /dev/null @@ -1,297 +0,0 @@ -# newer versions go on top -- version: "2.11.9" - changes: - - description: Fix GKE kubernetes.io indentation. - type: bugfix - link: https://github.com/elastic/integrations/pull/4355 -- version: "2.11.8" - changes: - - description: Remove duplicate fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.11.7" - changes: - - description: Move Dataproc lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4270 -- version: "2.11.6" - changes: - - description: Move LoadBalancing lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4269 -- version: "2.11.5" - changes: - - description: Move Storage lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4268 -- version: "2.11.4" - changes: - - description: Move PubSub lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/4267 -- version: "2.11.3" - changes: - - description: Move GKE lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.11.2" - changes: - - description: Move Firestore lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3798 -- version: "2.11.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.11.0" - changes: - - description: Move Compute lightweight module config into integration - type: enhancement - link: https://github.com/elastic/integrations/pull/3797 -- version: "2.10.0" - changes: - - description: Add GCP PubSub Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3788 -- version: "2.9.0" - changes: - - description: Add GCP Dataproc Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3789 -- version: "2.8.0" - changes: - - description: Add GCP GKE Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4098 -- version: "2.7.0" - changes: - - description: Add GCP Storage Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/3785 -- version: "2.6.0" - changes: - - description: Add Load Balancing logs datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3493 -- version: "2.5.0" - changes: - - description: Add GCP Load Balancing Metricset - type: enhancement - link: https://github.com/elastic/integrations/pull/2308 - - description: Fix credentials_json escaping in loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Update loadbalancing_metrics default period to 60s - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Fix event.dataset for loadbalancing_metrics - type: bugfix - link: https://github.com/elastic/integrations/pull/3986 - - description: Add loadbalancing_metrics distribution fields - type: enhancement - link: https://github.com/elastic/integrations/pull/4004 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "2.3.0" - changes: - - description: Add additional parsing for DNS Public Zone Query Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2340 -- version: "2.2.1" - changes: - - description: Fix Billing policy template title and default period for gcp.compute - type: enhancement - link: https://github.com/elastic/integrations/pull/3821 -- version: "2.2.0" - changes: - - description: Remove fields duplicated in ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3609 -- version: "2.1.0" - changes: - - description: restore compatibility with 7.17 release track - type: enhancement - link: foobar -- version: "2.0.0" - changes: - - description: | - Move configurations to support metrics. This change is breaking, as it moves - some configuration from the top level variables to data stream variables. - - This change involves `project_id`, `credentials_file` and `credentials_json` - variables that are moved from input level configuration to package level - configuration (as those variables are reused across all inputs/data streams). - - Users with GCP integration enabled will need to input values for these - variables again when upgrading the policies to this version. - type: breaking-change - link: https://github.com/elastic/integrations/pull/2707 - - description: Add GCP Billing Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2141 - - description: Add GCP Compute Data Stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2301 - - description: Add GCP Firestore Data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/2704 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.9.2" - changes: - - description: Fix GCP auditlog parsing issue on response status - type: bugfix - link: https://github.com/elastic/integrations/pull/3583 -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.11.9/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.9/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.9/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.9/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29baf0ede7..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,397 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - - - rename: - field: gcp.audit.authentication_info.principal_email - target_field: client.user.email - if: ctx.client?.user?.email == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_email - if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email - ignore_missing: true - - rename: - field: gcp.audit.authentication_info.principal_subject - target_field: client.user.id - if: ctx.client?.user?.id == null - ignore_missing: true - - remove: - field: gcp.audit.authentication_info.principal_subject - if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject - ignore_missing: true -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: user_agent.original - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: event.action - ignore_missing: true - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - remove: - field: gcp.audit.response.status - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.response.status - target_field: gcp.audit.response.status_value - ignore_missing: true - if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - rename: - field: gcp.audit.service_name - target_field: service.name - if: ctx.service?.name == null - ignore_missing: true -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.9/data_stream/audit/fields/agent.yml b/packages/gcp/2.11.9/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.9/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/2.11.9/data_stream/audit/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 4487d9358b..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/2.11.9/data_stream/audit/fields/fields.yml b/packages/gcp/2.11.9/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.11.9/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.9/data_stream/audit/manifest.yml b/packages/gcp/2.11.9/data_stream/audit/manifest.yml deleted file mode 100755 index 9386ed5ea0..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.11.9/data_stream/audit/sample_event.json b/packages/gcp/2.11.9/data_stream/audit/sample_event.json deleted file mode 100755 index 095cfe4a14..0000000000 --- a/packages/gcp/2.11.9/data_stream/audit/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.11.9/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index ed6242e5ba..0000000000 --- a/packages/gcp/2.11.9/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -dataset_id: {{dataset_id}} -table_pattern: {{table_pattern}} -cost_type: {{cost_type}} diff --git a/packages/gcp/2.11.9/data_stream/billing/fields/agent.yml b/packages/gcp/2.11.9/data_stream/billing/fields/agent.yml deleted file mode 100755 index 55b1dd9741..0000000000 --- a/packages/gcp/2.11.9/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.9/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index c6cc715075..0000000000 --- a/packages/gcp/2.11.9/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.billing diff --git a/packages/gcp/2.11.9/data_stream/billing/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.9/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/billing/fields/fields.yml b/packages/gcp/2.11.9/data_stream/billing/fields/fields.yml deleted file mode 100755 index 01a7e615bf..0000000000 --- a/packages/gcp/2.11.9/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: gcp.billing - type: group - description: Google Cloud Billing metrics - fields: - - name: cost_type - type: keyword - description: Cost types include regular, tax, adjustment, and rounding_error. - - name: invoice_month - type: keyword - description: Billing report month. - - name: project_id - type: keyword - description: Project ID of the billing report belongs to. - - name: project_name - type: keyword - description: Project Name of the billing report belongs to. - - name: total - type: float - description: Total billing amount. - - name: billing_account_id - type: keyword - description: Project Billing Account ID. diff --git a/packages/gcp/2.11.9/data_stream/billing/manifest.yml b/packages/gcp/2.11.9/data_stream/billing/manifest.yml deleted file mode 100755 index 0b2342e949..0000000000 --- a/packages/gcp/2.11.9/data_stream/billing/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: "GCP Billing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Billing Metrics - description: Collect GCP Billing Metrics - vars: - - name: period - type: text - title: Period - default: 24h - - name: dataset_id - type: text - title: Dataset ID - multi: false - required: true - show_user: true - description: "Dataset ID that points to the top-level container which contains the actual billing tables." - - name: table_pattern - type: text - title: Table pattern - multi: false - required: true - show_user: true - description: "Daily cost detail billing table name prefix." - default: gcp_billing_export_v1 - - name: cost_type - type: text - title: Cost Type - multi: false - required: true - show_user: true - description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" - default: regular diff --git a/packages/gcp/2.11.9/data_stream/billing/sample_event.json b/packages/gcp/2.11.9/data_stream/billing/sample_event.json deleted file mode 100755 index 2acd0b4308..0000000000 --- a/packages/gcp/2.11.9/data_stream/billing/sample_event.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.11.9/data_stream/compute/agent/stream/stream.yml.hbs deleted file mode 100755 index dd973286ef..0000000000 --- a/packages/gcp/2.11.9/data_stream/compute/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: compute - metric_types: - - "firewall/dropped_bytes_count" - - "firewall/dropped_packets_count" - - "instance/cpu/reserved_cores" - - "instance/cpu/usage_time" - - "instance/cpu/utilization" - - "instance/disk/read_bytes_count" - - "instance/disk/read_ops_count" - - "instance/disk/write_bytes_count" - - "instance/disk/write_ops_count" - - "instance/memory/balloon/ram_size" - - "instance/memory/balloon/ram_used" - - "instance/memory/balloon/swap_in_bytes_count" - - "instance/memory/balloon/swap_out_bytes_count" - - "instance/network/received_bytes_count" - - "instance/network/received_packets_count" - - "instance/network/sent_bytes_count" - - "instance/network/sent_packets_count" - - "instance/uptime" - - "instance/uptime_total" diff --git a/packages/gcp/2.11.9/data_stream/compute/fields/agent.yml b/packages/gcp/2.11.9/data_stream/compute/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.9/data_stream/compute/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.9/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/compute/fields/base-fields.yml deleted file mode 100755 index e53dc6c3e2..0000000000 --- a/packages/gcp/2.11.9/data_stream/compute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.compute diff --git a/packages/gcp/2.11.9/data_stream/compute/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/compute/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.9/data_stream/compute/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/compute/fields/fields.yml b/packages/gcp/2.11.9/data_stream/compute/fields/fields.yml deleted file mode 100755 index c55330dd65..0000000000 --- a/packages/gcp/2.11.9/data_stream/compute/fields/fields.yml +++ /dev/null @@ -1,61 +0,0 @@ -- name: gcp.compute - description: Google Cloud Compute metrics - type: group - fields: - - name: firewall.dropped.bytes - type: long - description: Incoming bytes dropped by the firewall - - name: firewall.dropped_packets_count.value - type: long - description: Incoming packets dropped by the firewall - - name: instance.cpu.reserved_cores.value - type: double - description: Number of cores reserved on the host of the instance - - name: instance.cpu.usage_time.sec - type: double - description: Usage for all cores in seconds - - name: instance.cpu.usage.pct - type: double - description: The fraction of the allocated CPU that is currently in use on the instance - - name: instance.disk.read.bytes - type: long - description: Count of bytes read from disk - - name: instance.disk.read_ops_count.value - type: long - description: Count of disk read IO operations - - name: instance.disk.write.bytes - type: long - description: Count of bytes written to disk - - name: instance.disk.write_ops_count.value - type: long - description: Count of disk write IO operations - - name: instance.memory.balloon.ram_size.value - type: long - description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.ram_used.value - type: long - description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_in.bytes - type: long - description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.memory.balloon.swap_out.bytes - type: long - description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. - - name: instance.network.ingress.bytes - type: long - description: Count of bytes received from the network - - name: instance.network.ingress.packets.count - type: long - description: Count of packets received from the network - - name: instance.network.egress.bytes - type: long - description: Count of bytes sent over the network - - name: instance.network.egress.packets.count - type: long - description: Count of packets sent over the network - - name: instance.uptime.sec - type: long - description: Number of seconds the VM has been running. - - name: instance.uptime_total.sec - type: long - description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.9/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/compute/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.9/data_stream/compute/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.9/data_stream/compute/manifest.yml b/packages/gcp/2.11.9/data_stream/compute/manifest.yml deleted file mode 100755 index b5fba4c90e..0000000000 --- a/packages/gcp/2.11.9/data_stream/compute/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Compute Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Compute Metrics - description: Collect GCP Compute Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.9/data_stream/compute/sample_event.json b/packages/gcp/2.11.9/data_stream/compute/sample_event.json deleted file mode 100755 index 62aabe7bdd..0000000000 --- a/packages/gcp/2.11.9/data_stream/compute/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.11.9/data_stream/dataproc/agent/stream/stream.yml.hbs deleted file mode 100755 index 914e062aa2..0000000000 --- a/packages/gcp/2.11.9/data_stream/dataproc/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: dataproc - metric_types: - - "cluster/hdfs/datanodes" - - "cluster/hdfs/storage_capacity" - - "cluster/hdfs/storage_utilization" - - "cluster/hdfs/unhealthy_blocks" - - "cluster/job/failed_count" - - "cluster/job/running_count" - - "cluster/job/submitted_count" - - "cluster/operation/failed_count" - - "cluster/operation/running_count" - - "cluster/operation/submitted_count" - - "cluster/yarn/allocated_memory_percentage" - - "cluster/yarn/apps" - - "cluster/yarn/containers" - - "cluster/yarn/memory_size" - - "cluster/yarn/nodemanagers" - - "cluster/yarn/pending_memory_size" - - "cluster/yarn/virtual_cores" - - "cluster/job/completion_time" - - "cluster/job/duration" - - "cluster/operation/completion_time" - - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.11.9/data_stream/dataproc/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.9/data_stream/dataproc/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.9/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/dataproc/fields/base-fields.yml deleted file mode 100755 index 0dbeaa24e6..0000000000 --- a/packages/gcp/2.11.9/data_stream/dataproc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dataproc diff --git a/packages/gcp/2.11.9/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/dataproc/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.9/data_stream/dataproc/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.11.9/data_stream/dataproc/fields/fields.yml deleted file mode 100755 index e7086b5977..0000000000 --- a/packages/gcp/2.11.9/data_stream/dataproc/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: gcp.dataproc - description: Google Cloud Dataproc metrics - type: group - fields: - - name: batch.spark.executors.count - type: long - description: Indicates the number of Batch Spark executors. - - name: cluster.hdfs.datanodes.count - type: long - description: Indicates the number of HDFS DataNodes that are running inside a cluster. - - name: cluster.hdfs.storage_capacity.value - type: double - description: Indicates capacity of HDFS system running on cluster in GB. - - name: cluster.hdfs.storage_utilization.value - type: double - description: The percentage of HDFS storage currently used. - - name: cluster.hdfs.unhealthy_blocks.count - type: long - description: Indicates the number of unhealthy blocks inside the cluster. - - name: cluster.job.failed.count - type: long - description: Indicates the number of jobs that have failed on a cluster. - - name: cluster.job.running.count - type: long - description: Indicates the number of jobs that are running on a cluster. - - name: cluster.job.submitted.count - type: long - description: Indicates the number of jobs that have been submitted to a cluster. - - name: cluster.operation.failed.count - type: long - description: Indicates the number of operations that have failed on a cluster. - - name: cluster.operation.running.count - type: long - description: Indicates the number of operations that are running on a cluster. - - name: cluster.operation.submitted.count - type: long - description: Indicates the number of operations that have been submitted to a cluster. - - name: cluster.yarn.allocated_memory_percentage.value - type: double - description: The percentage of YARN memory is allocated. - - name: cluster.yarn.apps.count - type: long - description: Indicates the number of active YARN applications. - - name: cluster.yarn.containers.count - type: long - description: Indicates the number of YARN containers. - - name: cluster.yarn.memory_size.value - type: double - description: Indicates the YARN memory size in GB. - - name: cluster.yarn.nodemanagers.count - type: long - description: Indicates the number of YARN NodeManagers running inside cluster. - - name: cluster.yarn.pending_memory_size.value - type: double - description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. - - name: cluster.yarn.virtual_cores.count - type: long - description: Indicates the number of virtual cores in YARN. - - name: cluster.job.completion_time.value - type: object - object_type: histogram - description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. - - name: cluster.job.duration.value - type: object - object_type: histogram - description: The time jobs have spent in a given state. - - name: cluster.operation.completion_time.value - type: object - object_type: histogram - description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. - - name: cluster.operation.duration.value - type: object - object_type: histogram - description: The time operations have spent in a given state. diff --git a/packages/gcp/2.11.9/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/dataproc/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.9/data_stream/dataproc/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.9/data_stream/dataproc/manifest.yml b/packages/gcp/2.11.9/data_stream/dataproc/manifest.yml deleted file mode 100755 index 8c46663bcc..0000000000 --- a/packages/gcp/2.11.9/data_stream/dataproc/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: "GCP Dataproc Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - vars: - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.9/data_stream/dataproc/sample_event.json b/packages/gcp/2.11.9/data_stream/dataproc/sample_event.json deleted file mode 100755 index e95592fbfb..0000000000 --- a/packages/gcp/2.11.9/data_stream/dataproc/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.9/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.9/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.9/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.9/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 50b0626988..0000000000 --- a/packages/gcp/2.11.9/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: dns-query - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: '6' - if: ctx.network?.transport == "tcp" - - set: - field: network.iana_number - value: '17' - if: ctx.network?.transport == "udp" - - set: - field: network.protocol - value: dns - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true -### Internal DNS query parsing - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers`. - source: | - def rdata = ctx.gcp.dns.rdata; - def dns_answers = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - } - ctx.dns.answers = dns_answers; -### External DNS query parsing - - script: - lang: painless - ignore_failure: true - description: This script processes the Public DNS RData into `dns.answers`. - if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List - source: >- - List answers = new ArrayList(); - for (answer in ctx.json.jsonPayload.structuredRdata) { - Map new_answer = new HashMap(); - if(answer.class != null) { - new_answer.put("class", answer.class); - } - if(answer.type != null) { - new_answer.put("type", answer.type); - } - if(answer.ttl != null) { - new_answer.put("ttl", answer.ttl); - } - if(answer.rvalue != null) { - new_answer.put("data", answer.rvalue); - if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { - new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); - } - if (answer.domainName != null) { - new_answer.put("name", answer.domainName); - } - } - answers.add(new_answer); - } - if(ctx.dns.answers == null) { - ctx.dns.put('answers',new ArrayList()); - } - ctx.dns.answers = answers; - - script: - lang: painless - ignore_failure: true - if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List - source: >- - List answers = new ArrayList(); - if(ctx.related == null) { - ctx.put('related', new HashMap()); - } - if(ctx.related.ip == null) { - ctx.related.put('ip',new ArrayList()); - } - if(ctx.dns.resolved_ip == null) { - ctx.dns.put('resolved_ip',new ArrayList()); - } - if(ctx.related.hosts == null) { - ctx.related.put('hosts',new ArrayList()); - } - for (answer in ctx.dns.answers) { - if(['A','AAAA'].contains(answer.type)) { - if(!ctx.related.ip.contains(answer.data)) { - ctx.related.ip.add(answer.data); - } - if(!ctx.dns.resolved_ip.contains(answer.data)) { - ctx.dns.resolved_ip.add(answer.data); - } - } - if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { - ctx.related.hosts.add(answer.data); - } - if(['MX'].contains(answer.type)) { - def mx_server = / /.split(answer.data); - if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) - ctx.related.hosts.add(mx_server[1]); - } - } - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - rename: - field: json.resource.labels.target_type - target_field: gcp.dns.target_type - ignore_missing: true - - rename: - field: json.resource.labels.source_type - target_field: gcp.dns.source_type - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx.dns?.question?.name != null - - remove: - field: json - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.9/data_stream/dns/fields/agent.yml b/packages/gcp/2.11.9/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.9/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.9/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/2.11.9/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/2.11.9/data_stream/dns/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/dns/fields/ecs.yml deleted file mode 100755 index a9047fb7ae..0000000000 --- a/packages/gcp/2.11.9/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,156 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/gcp/2.11.9/data_stream/dns/fields/fields.yml b/packages/gcp/2.11.9/data_stream/dns/fields/fields.yml deleted file mode 100755 index 0edf352fb0..0000000000 --- a/packages/gcp/2.11.9/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. - - name: source_type - type: keyword - description: >- - Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet - - name: target_type - type: keyword - description: >- - Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.11.9/data_stream/dns/manifest.yml b/packages/gcp/2.11.9/data_stream/dns/manifest.yml deleted file mode 100755 index 202ad033f7..0000000000 --- a/packages/gcp/2.11.9/data_stream/dns/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.11.9/data_stream/dns/sample_event.json b/packages/gcp/2.11.9/data_stream/dns/sample_event.json deleted file mode 100755 index da7cf1f2d6..0000000000 --- a/packages/gcp/2.11.9/data_stream/dns/sample_event.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.11.9/data_stream/firestore/agent/stream/stream.yml.hbs deleted file mode 100755 index 646db263d0..0000000000 --- a/packages/gcp/2.11.9/data_stream/firestore/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: firestore - metric_types: - - "document/delete_count" - - "document/read_count" - - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/firestore/fields/agent.yml b/packages/gcp/2.11.9/data_stream/firestore/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.9/data_stream/firestore/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.9/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/firestore/fields/base-fields.yml deleted file mode 100755 index 7d9cfc69ef..0000000000 --- a/packages/gcp/2.11.9/data_stream/firestore/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firestore diff --git a/packages/gcp/2.11.9/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/firestore/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.9/data_stream/firestore/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/firestore/fields/fields.yml b/packages/gcp/2.11.9/data_stream/firestore/fields/fields.yml deleted file mode 100755 index e470f84b87..0000000000 --- a/packages/gcp/2.11.9/data_stream/firestore/fields/fields.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: gcp.firestore - description: Google Cloud Firestore metrics - type: group - fields: - - name: document.delete.count - type: long - description: The number of successful document deletes. - - name: document.read.count - type: long - description: The number of successful document reads from queries or lookups. - - name: document.write.count - type: long - description: The number of successful document writes. diff --git a/packages/gcp/2.11.9/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/firestore/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.9/data_stream/firestore/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.9/data_stream/firestore/manifest.yml b/packages/gcp/2.11.9/data_stream/firestore/manifest.yml deleted file mode 100755 index 0b4061f8a5..0000000000 --- a/packages/gcp/2.11.9/data_stream/firestore/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Firestore Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Firestore Metrics - description: Collect GCP Firestore Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.9/data_stream/firestore/sample_event.json b/packages/gcp/2.11.9/data_stream/firestore/sample_event.json deleted file mode 100755 index ddfe07c3a2..0000000000 --- a/packages/gcp/2.11.9/data_stream/firestore/sample_event.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.9/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.9/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.9/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05c30443fa..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.9/data_stream/firewall/fields/agent.yml b/packages/gcp/2.11.9/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.9/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/2.11.9/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 9723061204..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,243 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/firewall/fields/fields.yml b/packages/gcp/2.11.9/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.11.9/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.9/data_stream/firewall/manifest.yml b/packages/gcp/2.11.9/data_stream/firewall/manifest.yml deleted file mode 100755 index 0bc29d382e..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.11.9/data_stream/firewall/sample_event.json b/packages/gcp/2.11.9/data_stream/firewall/sample_event.json deleted file mode 100755 index b2ce153fb8..0000000000 --- a/packages/gcp/2.11.9/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.11.9/data_stream/gke/agent/stream/stream.yml.hbs deleted file mode 100755 index 0046ac8843..0000000000 --- a/packages/gcp/2.11.9/data_stream/gke/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: gke - service_metric_prefix: kubernetes.io/ - metric_types: - - "container/cpu/core_usage_time" - - "container/cpu/limit_cores" - - "container/cpu/limit_utilization" - - "container/cpu/request_cores" - - "container/cpu/request_utilization" - - "container/ephemeral_storage/limit_bytes" - - "container/ephemeral_storage/request_bytes" - - "container/ephemeral_storage/used_bytes" - - "container/memory/limit_bytes" - - "container/memory/limit_utilization" - - "container/memory/page_fault_count" - - "container/memory/request_bytes" - - "container/memory/request_utilization" - - "container/memory/used_bytes" - - "container/restart_count" - - "container/uptime" - - "node/cpu/allocatable_cores" - - "node/cpu/allocatable_utilization" - - "node/cpu/core_usage_time" - - "node/cpu/total_cores" - - "node/ephemeral_storage/allocatable_bytes" - - "node/ephemeral_storage/inodes_free" - - "node/ephemeral_storage/inodes_total" - - "node/ephemeral_storage/total_bytes" - - "node/ephemeral_storage/used_bytes" - - "node/memory/allocatable_bytes" - - "node/memory/allocatable_utilization" - - "node/memory/total_bytes" - - "node/memory/used_bytes" - - "node/network/received_bytes_count" - - "node/network/sent_bytes_count" - - "node/pid_limit" - - "node/pid_used" - - "node_daemon/cpu/core_usage_time" - - "node_daemon/memory/used_bytes" - - "pod/network/received_bytes_count" - - "pod/network/sent_bytes_count" - - "pod/volume/total_bytes" - - "pod/volume/used_bytes" - - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/gke/fields/agent.yml b/packages/gcp/2.11.9/data_stream/gke/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.9/data_stream/gke/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.9/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/gke/fields/base-fields.yml deleted file mode 100755 index 485fc8f2d6..0000000000 --- a/packages/gcp/2.11.9/data_stream/gke/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.gke diff --git a/packages/gcp/2.11.9/data_stream/gke/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/gke/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.9/data_stream/gke/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/gke/fields/fields.yml b/packages/gcp/2.11.9/data_stream/gke/fields/fields.yml deleted file mode 100755 index ccef93d523..0000000000 --- a/packages/gcp/2.11.9/data_stream/gke/fields/fields.yml +++ /dev/null @@ -1,124 +0,0 @@ -- name: gcp.gke - description: Google Cloud GKE metrics - type: group - fields: - - name: container.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. - - name: container.cpu.limit_cores.value - type: double - description: CPU cores limit of the container. Sampled every 60 seconds. - - name: container.cpu.limit_utilization.pct - type: double - description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.cpu.request_cores.value - type: double - description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.cpu.request_utilization.pct - type: double - description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.ephemeral_storage.limit.bytes - type: long - description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.request.bytes - type: long - description: Local ephemeral storage request in bytes. Sampled every 60 seconds. - - name: container.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. - - name: container.memory.limit.bytes - type: long - description: Memory limit of the container in bytes. Sampled every 60 seconds. - - name: container.memory.limit_utilization.pct - type: double - description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.page_fault.count - type: long - description: Number of page faults, broken down by type, major and minor. - - name: container.memory.request.bytes - type: long - description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.memory.request_utilization.pct - type: double - description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: container.memory.used.bytes - type: long - description: Memory usage in bytes. Sampled every 60 seconds. - - name: container.restart.count - type: long - description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: container.uptime.sec - type: double - description: Time in seconds that the container has been running. Sampled every 60 seconds. - - name: node.cpu.allocatable_cores.value - type: double - description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. - - name: node.cpu.allocatable_utilization.pct - type: double - description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. - - name: node.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. - - name: node.cpu.total_cores.value - type: double - description: Total number of CPU cores on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.allocatable.bytes - type: long - description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_free.value - type: long - description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.inodes_total.value - type: long - description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. - - name: node.ephemeral_storage.total.bytes - type: long - description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. - - name: node.ephemeral_storage.used.bytes - type: long - description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.memory.allocatable_utilization.pct - type: double - description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: node.memory.total.bytes - type: long - description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. - - name: node.memory.used.bytes - type: long - description: Cumulative memory bytes used by the node. Sampled every 60 seconds. - - name: node.network.received_bytes.count - type: long - description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. - - name: node.network.sent_bytes.count - type: long - description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. - - name: node.pid_limit.value - type: long - description: The max PID of OS on the node. Sampled every 60 seconds. - - name: node.pid_used.value - type: long - description: The number of running process in the OS on the node. Sampled every 60 seconds. - - name: node_daemon.cpu.core_usage_time.sec - type: double - description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. - - name: node_daemon.memory.used.bytes - type: long - description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. - - name: pod.network.received.bytes - type: long - description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. - - name: pod.network.sent.bytes - type: long - description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. - - name: pod.volume.total.bytes - type: long - description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. - - name: pod.volume.used.bytes - type: long - description: Number of disk bytes used by the pod. Sampled every 60 seconds. - - name: pod.volume.utilization.pct - type: double - description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.11.9/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/gke/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.9/data_stream/gke/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.9/data_stream/gke/manifest.yml b/packages/gcp/2.11.9/data_stream/gke/manifest.yml deleted file mode 100755 index 971b64d46b..0000000000 --- a/packages/gcp/2.11.9/data_stream/gke/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP GKE Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP GKE Metrics - description: Collect GCP GKE Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.9/data_stream/gke/sample_event.json b/packages/gcp/2.11.9/data_stream/gke/sample_event.json deleted file mode 100755 index d4edec9bb4..0000000000 --- a/packages/gcp/2.11.9/data_stream/gke/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.9/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eb4ae24a86..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: info - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - date: - field: json.receiveTimestamp - target_field: event.created - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.zone - target_field: cloud.region - type: string - ignore_failure: true - - grok: - field: json.httpRequest.remoteIp - ignore_missing: true - patterns: - - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: json.httpRequest.requestMethod - target_field: http.request.method - ignore_missing: true - - convert: - field: json.httpRequest.requestSize - target_field: http.request.bytes - type: long - ignore_missing: true - - convert: - field: json.httpRequest.responseSize - target_field: http.response.bytes - type: long - ignore_missing: true - - rename: - field: json.httpRequest.status - target_field: http.response.status_code - ignore_missing: true - - dissect: - field: json.httpRequest.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true - if: ctx.json?.httpRequest?.protocol != null - - lowercase: - field: network.protocol - ignore_missing: true - - user_agent: - field: json.httpRequest.userAgent - target_field: user_agent - ignore_missing: true - - uri_parts: - field: json.httpRequest.requestUrl - target_field: url - if: ctx.json?.httpRequest?.requestUrl != null - - rename: - field: json.httpRequest.referer - target_field: http.request.referrer - ignore_missing: true - - grok: - field: json.httpRequest.serverIp - ignore_missing: true - patterns: - - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ - - set: - field: destination.address - copy_from: url.domain - ignore_empty_value: true - ignore_failure: true - - set: - field: destination.port - copy_from: url.port - ignore_empty_value: true - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - rename: - field: url.domain - target_field: destination.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.severity - target_field: log.level - ignore_missing: true - - rename: - field: json.jsonPayload.cacheId - target_field: gcp.load_balancer.cache_id - ignore_missing: true - - rename: - field: json.jsonPayload.statusDetails - target_field: gcp.load_balancer.status_details - ignore_missing: true - - rename: - field: json.httpRequest.cacheHit - target_field: gcp.load_balancer.cache_hit - ignore_missing: true - - rename: - field: json.httpRequest.cacheLookup - target_field: gcp.load_balancer.cache_lookup - ignore_missing: true - - rename: - field: json.resource.labels.url_map_name - target_field: gcp.load_balancer.url_map_name - ignore_missing: true - - rename: - field: json.resource.labels.forwarding_rule_name - target_field: gcp.load_balancer.forwarding_rule_name - ignore_missing: true - - rename: - field: json.resource.labels.target_proxy_name - target_field: gcp.load_balancer.target_proxy_name - ignore_missing: true - - rename: - field: json.resource.labels.backend_service_name - target_field: gcp.load_balancer.backend_service_name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: ctx?.destination?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - allow_duplicates: false - if: ctx?.destination?.domain != null - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/base-fields.yml deleted file mode 100755 index 5d5236cac3..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/ecs.yml deleted file mode 100755 index fb2886752f..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/ecs.yml +++ /dev/null @@ -1,196 +0,0 @@ -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/fields.yml deleted file mode 100755 index 5c4162eb07..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/fields/fields.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: gcp.load_balancer - type: group - fields: - - name: backend_service_name - type: keyword - description: | - The backend service to which the load balancer is sending traffic - - name: cache_hit - type: boolean - description: | - Whether or not an entity was served from cache (with or without validation). - - name: cache_id - type: keyword - description: >- - Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). - - name: cache_lookup - type: boolean - description: | - Whether or not a cache lookup was attempted. - - name: forwarding_rule_name - type: keyword - description: | - The name of the forwarding rule - - name: status_details - type: keyword - description: >- - Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. - - name: target_proxy_name - type: keyword - description: | - The target proxy name - - name: url_map_name - type: keyword - description: | - The URL map name diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_logs/manifest.yml deleted file mode 100755 index d570564343..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) Load Balancing logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-load_balancer - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-load_balancer - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-loadbalancing_logs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.11.9/data_stream/loadbalancing_logs/sample_event.json deleted file mode 100755 index 2f777d5650..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_logs/sample_event.json +++ /dev/null @@ -1,136 +0,0 @@ -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 27124802fb..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,48 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: loadbalancing - metric_types: - - "https/backend_request_bytes_count" - - "https/backend_request_count" - - "https/backend_response_bytes_count" - - "https/request_bytes_count" - - "https/request_count" - - "https/response_bytes_count" - - "l3/external/egress_bytes_count" - - "l3/external/egress_packets_count" - - "l3/external/ingress_bytes_count" - - "l3/external/ingress_packets_count" - - "l3/internal/egress_bytes_count" - - "l3/internal/egress_packets_count" - - "l3/internal/ingress_bytes_count" - - "l3/internal/ingress_packets_count" - - "tcp_ssl_proxy/closed_connections" - - "tcp_ssl_proxy/egress_bytes_count" - - "tcp_ssl_proxy/ingress_bytes_count" - - "tcp_ssl_proxy/new_connections" - - "tcp_ssl_proxy/open_connections" - - "https/backend_latencies" - - "https/external/regional/backend_latencies" - - "https/external/regional/total_latencies" - - "https/frontend_tcp_rtt" - - "https/internal/backend_latencies" - - "https/internal/total_latencies" - - "https/total_latencies" - - "l3/external/rtt_latencies" - - "l3/internal/rtt_latencies" - - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/base-fields.yml deleted file mode 100755 index 9529fa58a5..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/fields.yml deleted file mode 100755 index 2e8929f684..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: gcp.loadbalancing - description: Google Cloud Load Balancing metrics - type: group - fields: - - name: https.backend_request.bytes - type: long - description: The number of bytes sent as requests from HTTP/S load balancer to backends. - - name: https.backend_request.count - type: long - description: The number of requests served by backends of HTTP/S load balancer. - - name: https.backend_response.bytes - type: long - description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. - - name: https.request.bytes - type: long - description: The number of bytes sent as requests from clients to HTTP/S load balancer. - - name: https.request.count - type: long - description: The number of requests served by HTTP/S load balancer. - - name: https.response.bytes - type: long - description: The number of bytes sent as responses from HTTP/S load balancer to clients. - - name: l3.external.egress.bytes - type: long - description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. - - name: l3.external.egress_packets.count - type: long - description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. - - name: l3.external.ingress.bytes - type: long - description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. - - name: l3.external.ingress_packets.count - type: long - description: The number of packets sent from client to external TCP/UDP network load balancer backend. - - name: l3.internal.egress.bytes - type: long - description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.egress_packets.count - type: long - description: The number of packets sent from ILB backend to client of the flow. - - name: l3.internal.ingress.bytes - type: long - description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). - - name: l3.internal.ingress_packets.count - type: long - description: The number of packets sent from client to ILB backend. - - name: tcp_ssl_proxy.closed_connections.value - type: long - description: Number of connections that were terminated over TCP/SSL proxy. - - name: tcp_ssl_proxy.egress.bytes - type: long - description: Number of bytes sent from VM to client using proxy. - - name: tcp_ssl_proxy.ingress.bytes - type: long - description: Number of bytes sent from client to VM using proxy. - - name: tcp_ssl_proxy.new_connections.value - type: long - description: Number of connections that were created over TCP/SSL proxy. - - name: tcp_ssl_proxy.open_connections.value - type: long - description: Current number of outstanding connections through the TCP/SSL proxy. - - name: https.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.external.regional.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. - - name: https.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the RTT measured for each connection between client and proxy. - - name: https.internal.backend_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. - - name: https.internal.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: https.total_latencies.value - type: object - object_type: histogram - description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. - - name: l3.external.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. - - name: l3.internal.rtt_latencies.value - type: object - object_type: histogram - description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. - - name: tcp_ssl_proxy.frontend_tcp_rtt.value - type: object - object_type: histogram - description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/manifest.yml deleted file mode 100755 index 4e669823a3..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Load Balancing Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/sample_event.json deleted file mode 100755 index a0e5d35b49..0000000000 --- a/packages/gcp/2.11.9/data_stream/loadbalancing_metrics/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.11.9/data_stream/pubsub/agent/stream/stream.yml.hbs deleted file mode 100755 index 3444d1ca25..0000000000 --- a/packages/gcp/2.11.9/data_stream/pubsub/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,67 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: pubsub - metric_types: - - "snapshot/backlog_bytes" - - "snapshot/backlog_bytes_by_region" - - "snapshot/config_updates_count" - - "snapshot/num_messages" - - "snapshot/num_messages_by_region" - - "snapshot/oldest_message_age" - - "snapshot/oldest_message_age_by_region" - - "subscription/ack_message_count" - - "subscription/backlog_bytes" - - "subscription/byte_cost" - - "subscription/config_updates_count" - - "subscription/dead_letter_message_count" - - "subscription/mod_ack_deadline_message_count" - - "subscription/mod_ack_deadline_message_operation_count" - - "subscription/mod_ack_deadline_request_count" - - "subscription/num_outstanding_messages" - - "subscription/num_undelivered_messages" - - "subscription/oldest_retained_acked_message_age" - - "subscription/oldest_retained_acked_message_age_by_region" - - "subscription/oldest_unacked_message_age" - - "subscription/oldest_unacked_message_age_by_region" - - "subscription/pull_ack_message_operation_count" - - "subscription/pull_ack_request_count" - - "subscription/pull_message_operation_count" - - "subscription/pull_request_count" - - "subscription/push_request_count" - - "subscription/retained_acked_bytes" - - "subscription/retained_acked_bytes_by_region" - - "subscription/seek_request_count" - - "subscription/sent_message_count" - - "subscription/streaming_pull_ack_message_operation_count" - - "subscription/streaming_pull_ack_request_count" - - "subscription/streaming_pull_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" - - "subscription/streaming_pull_mod_ack_deadline_request_count" - - "subscription/streaming_pull_response_count" - - "subscription/unacked_bytes_by_region" - - "topic/byte_cost" - - "topic/config_updates_count" - - "topic/oldest_retained_acked_message_age_by_region" - - "topic/oldest_unacked_message_age_by_region" - - "topic/retained_acked_bytes_by_region" - - "topic/send_message_operation_count" - - "topic/send_request_count" - - "topic/unacked_bytes_by_region" - - "subscription/ack_latencies" - - "subscription/push_request_latencies" - - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.11.9/data_stream/pubsub/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.9/data_stream/pubsub/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.9/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/pubsub/fields/base-fields.yml deleted file mode 100755 index 2ca07084fc..0000000000 --- a/packages/gcp/2.11.9/data_stream/pubsub/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.pubsub diff --git a/packages/gcp/2.11.9/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/pubsub/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.9/data_stream/pubsub/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.11.9/data_stream/pubsub/fields/fields.yml deleted file mode 100755 index 18b09ae2c1..0000000000 --- a/packages/gcp/2.11.9/data_stream/pubsub/fields/fields.yml +++ /dev/null @@ -1,154 +0,0 @@ -- name: gcp.pubsub - description: Google Cloud PubSub metrics - type: group - fields: - - name: snapshot.backlog.bytes - type: long - description: Total byte size of the messages retained in a snapshot. - - name: snapshot.backlog_bytes_by_region.bytes - type: long - description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: snapshot.num_messages.value - type: long - description: Number of messages retained in a snapshot. - - name: snapshot.num_messages_by_region.value - type: long - description: Number of messages retained in a snapshot, broken down by Cloud region. - - name: snapshot.oldest_message_age.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot. - - name: snapshot.oldest_message_age_by_region.sec - type: long - description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. - - name: subscription.ack_message.count - type: long - description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. - - name: subscription.backlog.bytes - type: long - description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.byte_cost.bytes - type: long - description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. - - name: subscription.config_updates.count - type: long - description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. - - name: subscription.dead_letter_message.count - type: long - description: Cumulative count of messages published to dead letter topic, grouped by result. - - name: subscription.mod_ack_deadline_message.count - type: long - description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. - - name: subscription.mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of ModifyAckDeadline message operations, grouped by result. - - name: subscription.mod_ack_deadline_request.count - type: long - description: Cumulative count of ModifyAckDeadline requests, grouped by result. - - name: subscription.num_outstanding_messages.value - type: long - description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. - - name: subscription.num_undelivered_messages.value - type: long - description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. - - name: subscription.oldest_retained_acked_message_age.sec - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription. - - name: subscription.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. - - name: subscription.oldest_unacked_message_age.sec - type: long - description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. - - name: subscription.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. - - name: subscription.pull_ack_message_operation.count - type: long - description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_ack_request.count - type: long - description: Cumulative count of acknowledge requests, grouped by result. - - name: subscription.pull_message_operation.count - type: long - description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.pull_request.count - type: long - description: Cumulative count of pull requests, grouped by result. - - name: subscription.push_request.count - type: long - description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. - - name: subscription.retained_acked.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription. - - name: subscription.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. - - name: subscription.seek_request.count - type: long - description: Cumulative count of seek attempts, grouped by result. - - name: subscription.sent_message.count - type: long - description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. - - name: subscription.streaming_pull_ack_message_operation.count - type: long - description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: subscription.streaming_pull_ack_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. - - name: subscription.streaming_pull_message_operation.count - type: long - description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count - - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count - type: long - description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. - - name: subscription.streaming_pull_mod_ack_deadline_request.count - type: long - description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. - - name: subscription.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: subscription.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. - - name: topic.byte_cost.bytes - type: long - description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. - - name: topic.config_updates.count - type: long - description: Cumulative count of configuration changes, grouped by operation type and result. - - name: topic.message_sizes.bytes - type: object - object_type: histogram - description: Distribution of publish message sizes (in bytes) - - name: topic.oldest_retained_acked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. - - name: topic.oldest_unacked_message_age_by_region.value - type: long - description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. - - name: topic.retained_acked_bytes_by_region.bytes - type: long - description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. - - name: topic.send_message_operation.count - type: long - description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. - - name: topic.send_request.count - type: long - description: Cumulative count of publish requests, grouped by result. - - name: topic.streaming_pull_response.count - type: long - description: Cumulative count of streaming pull responses, grouped by result. - - name: topic.unacked_bytes_by_region.bytes - type: long - description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. - - name: subscription.ack_latencies.value - type: object - object_type: histogram - description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. - - name: subscription.push_request_latencies.value - type: object - object_type: histogram - description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.11.9/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/pubsub/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.9/data_stream/pubsub/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.9/data_stream/pubsub/manifest.yml b/packages/gcp/2.11.9/data_stream/pubsub/manifest.yml deleted file mode 100755 index 39d8944a03..0000000000 --- a/packages/gcp/2.11.9/data_stream/pubsub/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP PubSub Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP PubSub Metrics - description: Collect GCP PubSub Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.9/data_stream/pubsub/sample_event.json b/packages/gcp/2.11.9/data_stream/pubsub/sample_event.json deleted file mode 100755 index c8419630eb..0000000000 --- a/packages/gcp/2.11.9/data_stream/pubsub/sample_event.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.11.9/data_stream/storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cd1f37e511..0000000000 --- a/packages/gcp/2.11.9/data_stream/storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -metricsets: ["metrics"] -period: {{period}} -project_id: {{project_id}} -{{#if credentials_file}} -credentials_file_path: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if region}} -region: {{region}} -{{/if}} -{{#if zone}} -zone: {{zone}} -{{/if}} -exclude_labels: {{exclude_labels}} -metrics: - - service: storage - metric_types: - - "api/request_count" - - "authz/acl_based_object_access_count" - - "authz/acl_operations_count" - - "authz/object_specific_acl_mutation_count" - - "network/received_bytes_count" - - "network/sent_bytes_count" - - "storage/object_count" - - "storage/total_byte_seconds" - - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/storage/fields/agent.yml b/packages/gcp/2.11.9/data_stream/storage/fields/agent.yml deleted file mode 100755 index 8e686410af..0000000000 --- a/packages/gcp/2.11.9/data_stream/storage/fields/agent.yml +++ /dev/null @@ -1,160 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/gcp/2.11.9/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/storage/fields/base-fields.yml deleted file mode 100755 index 5f309fd4f7..0000000000 --- a/packages/gcp/2.11.9/data_stream/storage/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.storage diff --git a/packages/gcp/2.11.9/data_stream/storage/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/storage/fields/ecs.yml deleted file mode 100755 index 50c7f8c166..0000000000 --- a/packages/gcp/2.11.9/data_stream/storage/fields/ecs.yml +++ /dev/null @@ -1,39 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/storage/fields/fields.yml b/packages/gcp/2.11.9/data_stream/storage/fields/fields.yml deleted file mode 100755 index 5e8d4e279b..0000000000 --- a/packages/gcp/2.11.9/data_stream/storage/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp.storage - description: Google Cloud Storage metrics - type: group - fields: - - name: api.request.count - type: long - description: Delta count of API calls, grouped by the API method name and response code. - - name: authz.acl_based_object_access.count - type: long - description: Delta count of requests that result in an object being granted access solely due to object ACLs. - - name: authz.acl_operations.count - type: long - description: Usage of ACL operations broken down by type. - - name: authz.object_specific_acl_mutation.count - type: long - description: Delta count of changes made to object specific ACLs. - - name: network.received.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: network.sent.bytes - type: long - description: Delta count of bytes sent over the network, grouped by the API method name and response code. - - name: storage.object.count - type: long - description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. - - name: storage.total_byte_seconds.bytes - type: long - description: Delta count of bytes received over the network, grouped by the API method name and response code. - - name: storage.total.bytes - type: long - description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.11.9/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/storage/fields/package-fields.yml deleted file mode 100755 index d8ccb93f50..0000000000 --- a/packages/gcp/2.11.9/data_stream/storage/fields/package-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: gcp - description: >- - GCP module - fields: - - name: labels - type: object - description: >- - GCP monitoring metrics labels - fields: - - name: user.* - type: object - object_type: keyword - - name: metadata.* - type: object - object_type: keyword - - name: metrics.* - type: object - object_type: keyword - - name: system.* - type: object - object_type: keyword - - name: resource.* - type: object - object_type: keyword - - name: "metrics.*.*.*.*" - type: object - object_type: double - object_type_mapping_type: "*" - description: > - Metrics that returned from Google Cloud API query. - diff --git a/packages/gcp/2.11.9/data_stream/storage/manifest.yml b/packages/gcp/2.11.9/data_stream/storage/manifest.yml deleted file mode 100755 index fff1d6910a..0000000000 --- a/packages/gcp/2.11.9/data_stream/storage/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: "GCP Storage Metrics" -type: metrics -streams: - - input: gcp/metrics - title: GCP Storage Metrics - description: Collect GCP Storage Metrics - vars: - - name: zone - type: text - title: GCP Zone - multi: false - required: false - show_user: true - - name: region - type: text - title: GCP Region - multi: false - required: false - show_user: true - - name: period - type: text - title: Period - default: 60s - required: true - - name: exclude_labels - type: bool - title: Exclude Labels - description: Exclude additional labels from metrics - multi: false - required: false - show_user: true diff --git a/packages/gcp/2.11.9/data_stream/storage/sample_event.json b/packages/gcp/2.11.9/data_stream/storage/sample_event.json deleted file mode 100755 index 0b0e8e65ed..0000000000 --- a/packages/gcp/2.11.9/data_stream/storage/sample_event.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.11.9/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.11.9/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52c89261fa..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.11.9/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.11.9/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.11.9/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 87e2bcffa2..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.11.9/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.11.9/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/manifest.yml b/packages/gcp/2.11.9/data_stream/vpcflow/manifest.yml deleted file mode 100755 index d6fd91bbab..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - description: "Overrides the default Pub/Sub service address and disables TLS. For testing." - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.11.9/data_stream/vpcflow/sample_event.json b/packages/gcp/2.11.9/data_stream/vpcflow/sample_event.json deleted file mode 100755 index a1244c2cca..0000000000 --- a/packages/gcp/2.11.9/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/docs/README.md b/packages/gcp/2.11.9/docs/README.md deleted file mode 100755 index 5194cf59ef..0000000000 --- a/packages/gcp/2.11.9/docs/README.md +++ /dev/null @@ -1,1536 +0,0 @@ -# Google Cloud Platform Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" -# -# DNS: all DNS queries -# -resource.type="dns_query" -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` - -## Metrics - -### Billing - -The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Compute - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -### Firestore - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | - - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.9/docs/audit.md b/packages/gcp/2.11.9/docs/audit.md deleted file mode 100755 index ec4a74ece5..0000000000 --- a/packages/gcp/2.11.9/docs/audit.md +++ /dev/null @@ -1,268 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-06-28T02:45:52.230Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-06-28T02:45:53Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status_value": "Success" - }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.9/docs/billing.md b/packages/gcp/2.11.9/docs/billing.md deleted file mode 100755 index 0612813219..0000000000 --- a/packages/gcp/2.11.9/docs/billing.md +++ /dev/null @@ -1,106 +0,0 @@ -# Billing - -## Metrics - -The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. - -Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. - -In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. - -## Sample Event - -An example event for `billing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "01475F-5B1080-1137E7" - }, - "project": { - "id": "elastic-bi", - "name": "elastic-containerlib-prod" - }, - "provider": "gcp" - }, - "event": { - "dataset": "gcp.billing", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "billing": { - "billing_account_id": "01475F-5B1080-1137E7", - "cost_type": "regular", - "invoice_month": "202106", - "project_id": "containerlib-prod-12763", - "project_name": "elastic-containerlib-prod", - "total": 4717.170681 - } - }, - "metricset": { - "name": "billing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | -| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | -| gcp.billing.invoice_month | Billing report month. | keyword | -| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | -| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | -| gcp.billing.total | Total billing amount. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.9/docs/compute.md b/packages/gcp/2.11.9/docs/compute.md deleted file mode 100755 index 34b3d0eee8..0000000000 --- a/packages/gcp/2.11.9/docs/compute.md +++ /dev/null @@ -1,172 +0,0 @@ -# Compute - -## Metrics - -The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). - -Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. - -## Sample Event - -An example event for `compute` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.compute", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "compute": { - "firewall": { - "dropped": { - "bytes": 421 - }, - "dropped_packets_count": { - "value": 4 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 1 - }, - "usage": { - "pct": 0.07259952346383708 - }, - "usage_time": { - "sec": 4.355971407830225 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 4128378880 - }, - "ram_used": { - "value": 2190848000 - }, - "swap_in": { - "bytes": 0 - }, - "swap_out": { - "bytes": 0 - } - } - }, - "uptime": { - "sec": 60.00000000000091 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | -| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | -| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | -| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | -| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | -| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | -| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | -| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | -| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | -| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | -| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | -| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | -| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | -| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | -| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | -| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.9/docs/dataproc.md b/packages/gcp/2.11.9/docs/dataproc.md deleted file mode 100755 index 0b90005cea..0000000000 --- a/packages/gcp/2.11.9/docs/dataproc.md +++ /dev/null @@ -1,142 +0,0 @@ -# Dataproc - -## Metrics - -The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `dataproc` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.dataproc", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "dataproc": { - "cluster": { - "hdfs": { - "datanodes": { - "count": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "dataproc", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | -| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | -| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | -| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | -| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | -| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | -| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | -| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | -| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | -| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | -| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | -| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | -| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | -| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | -| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | -| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | -| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | -| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | -| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | -| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.9/docs/dns.md b/packages/gcp/2.11.9/docs/dns.md deleted file mode 100755 index 95150589be..0000000000 --- a/packages/gcp/2.11.9/docs/dns.md +++ /dev/null @@ -1,202 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0b86920e-9dac-4b22-91c8-e594b22a00b4", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-06-28T02:46:41.230Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-06-28T02:46:42Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.9/docs/firestore.md b/packages/gcp/2.11.9/docs/firestore.md deleted file mode 100755 index 2b8c97370e..0000000000 --- a/packages/gcp/2.11.9/docs/firestore.md +++ /dev/null @@ -1,127 +0,0 @@ -# Firestore - -## Metrics - -The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `firestore` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.firestore", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "firestore": { - "document": { - "delete": { - "count": 3 - }, - "read": { - "count": 10 - }, - "write": { - "count": 1 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "firestore", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.firestore.document.delete.count | The number of successful document deletes. | long | -| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | -| gcp.firestore.document.write.count | The number of successful document writes. | long | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.9/docs/firewall.md b/packages/gcp/2.11.9/docs/firewall.md deleted file mode 100755 index 48e690fcf4..0000000000 --- a/packages/gcp/2.11.9/docs/firewall.md +++ /dev/null @@ -1,252 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:47:26.097Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-06-28T02:47:27Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.9/docs/gke.md b/packages/gcp/2.11.9/docs/gke.md deleted file mode 100755 index 58c31a0c39..0000000000 --- a/packages/gcp/2.11.9/docs/gke.md +++ /dev/null @@ -1,160 +0,0 @@ -# GKE - -## Metrics - -The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. - -## Sample Event - -An example event for `gke` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.gke", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "gke": { - "container": { - "cpu": { - "core_usage_time": { - "sec": 15 - } - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "gke", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | -| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | -| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | -| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | -| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | -| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | -| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | -| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | -| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | -| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | -| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.9/docs/loadbalancing.md b/packages/gcp/2.11.9/docs/loadbalancing.md deleted file mode 100755 index b7f53f6ca7..0000000000 --- a/packages/gcp/2.11.9/docs/loadbalancing.md +++ /dev/null @@ -1,397 +0,0 @@ -# Load Balancing - -## Logs - -The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2020-06-08T23:41:30.078Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "project": { - "id": "PROJECT_ID" - }, - "region": "global" - }, - "data_stream": { - "dataset": "gcp.loadbalancing_logs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "nat": { - "ip": "10.5.3.1", - "port": 9090 - }, - "port": 8080 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "category": "network", - "created": "2020-06-08T23:41:30.588Z", - "id": "1oek5rg3l3fxj7", - "kind": "event", - "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", - "type": "info" - }, - "gcp": { - "load_balancer": { - "backend_service_name": "", - "cache_hit": true, - "cache_id": "SFO-fbae48ad", - "cache_lookup": true, - "forwarding_rule_name": "FORWARDING_RULE_NAME", - "status_details": "response_from_cache", - "target_proxy_name": "TARGET_PROXY_NAME", - "url_map_name": "URL_MAP_NAME" - } - }, - "http": { - "request": { - "bytes": 577, - "method": "GET", - "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" - }, - "response": { - "bytes": 157, - "status_code": 304 - }, - "version": "2.0" - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/PROJECT_ID/logs/requests" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "89.160.20.156", - "81.2.69.193", - "10.5.3.1" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 9989 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ], - "url": { - "domain": "81.2.69.193", - "extension": "jpg", - "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", - "path": "/static/us/three-cats.jpg", - "port": 8080, - "scheme": "http" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", - "os": { - "full": "Mac OS X 10.14.6", - "name": "Mac OS X", - "version": "10.14.6" - }, - "version": "83.0.4103.61" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | -| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | -| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | -| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | -| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | -| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | -| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | -| gcp.load_balancer.url_map_name | The URL map name | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -## Metrics - -The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). - -An example event for `loadbalancing` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "provider": "gcp", - "region": "us-central1", - "availability_zone": "us-central1-a" - }, - "event": { - "dataset": "gcp.loadbalancing_metrics", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "labels": { - "metrics": { - "client_network": "ocp-be-c5kjr-network", - "client_subnetwork": "ocp-be-c5kjr-worker-subnet", - "client_zone": "us-central1-a" - }, - "resource": { - "backend_name": "ocp-be-c5kjr-master-us-central1-a", - "backend_scope": "us-central1-a", - "backend_scope_type": "ZONE", - "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", - "backend_target_name": "ocp-be-c5kjr-api-internal", - "backend_target_type": "BACKEND_SERVICE", - "backend_type": "INSTANCE_GROUP", - "forwarding_rule_name": "ocp-be-c5kjr-api-internal", - "load_balancer_name": "ocp-be-c5kjr-api-internal", - "network_name": "ocp-be-c5kjr-network", - "region": "us-central1" - } - }, - "loadbalancing": { - "l3": { - "internal": { - "egress_packets": { - "count": 100 - }, - "egress": { - "bytes": 1247589 - } - } - } - } - }, - "metricset": { - "name": "loadbalancing", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | -| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | -| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | -| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | -| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | -| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | -| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | -| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | -| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | -| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | -| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | -| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | -| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | -| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | -| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | -| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | -| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | -| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | -| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | -| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.9/docs/pubsub.md b/packages/gcp/2.11.9/docs/pubsub.md deleted file mode 100755 index ffce8028d9..0000000000 --- a/packages/gcp/2.11.9/docs/pubsub.md +++ /dev/null @@ -1,167 +0,0 @@ -# PubSub - -## Metrics - -The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `pubsub` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.pubsub", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "pubsub": { - "subscription": { - "backlog": { - "bytes": 0 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "pubsub", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | -| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | -| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | -| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | -| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | -| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | -| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | -| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | -| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | -| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | -| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | -| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | -| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | -| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | -| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | -| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | -| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | -| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | -| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | -| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | -| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | -| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | -| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | -| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | -| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | -| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | -| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | -| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | -| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.9/docs/storage.md b/packages/gcp/2.11.9/docs/storage.md deleted file mode 100755 index fca7e1a230..0000000000 --- a/packages/gcp/2.11.9/docs/storage.md +++ /dev/null @@ -1,132 +0,0 @@ -# Storage - -## Metrics - -The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). - -You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. - -## Sample Event - -An example event for `storage` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-obs-integrations-dev", - "name": "elastic-obs-integrations-dev" - }, - "instance": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "machine": { - "type": "e2-medium" - }, - "provider": "gcp", - "availability_zone": "us-central1-c", - "region": "us-central1" - }, - "event": { - "dataset": "gcp.storage", - "duration": 115000, - "module": "gcp" - }, - "gcp": { - "storage": { - "storage": { - "total": { - "bytes": 4472520191 - } - }, - "network": { - "received": { - "bytes": 4472520191 - } - } - }, - "labels": { - "user": { - "goog-gke-node": "" - } - } - }, - "host": { - "id": "4751091017865185079", - "name": "gke-cluster-1-default-pool-6617a8aa-5clh" - }, - "metricset": { - "name": "storage", - "period": 10000 - }, - "service": { - "type": "gcp" - } -} -``` - -## Exported fields - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | -| error.message | Error message. | match_only_text | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| gcp.labels.metadata.\* | | object | -| gcp.labels.metrics.\* | | object | -| gcp.labels.resource.\* | | object | -| gcp.labels.system.\* | | object | -| gcp.labels.user.\* | | object | -| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | -| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | -| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | -| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | -| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | -| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | -| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | -| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.11.9/docs/vpcflow.md b/packages/gcp/2.11.9/docs/vpcflow.md deleted file mode 100755 index 65a292796a..0000000000 --- a/packages/gcp/2.11.9/docs/vpcflow.md +++ /dev/null @@ -1,257 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.139.99.242", - "domain": "elasticsearch", - "ip": "10.139.99.242", - "port": 9200 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-06-28T02:48:14.443Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821056075Z", - "id": "ut8lbrffooxz5", - "ingested": "2022-06-28T02:48:15Z", - "kind": "event", - "start": "2019-06-14T03:40:20.510622432Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 201 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 11773, - "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 94, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "source": { - "address": "67.43.156.13", - "as": { - "number": 35908 - }, - "bytes": 11773, - "domain": "kibana", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "packets": 94, - "port": 33576 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` \ No newline at end of file diff --git a/packages/gcp/2.11.9/img/filebeat-gcp-audit.png b/packages/gcp/2.11.9/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/2.11.9/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/2.11.9/img/gcp-billing.png b/packages/gcp/2.11.9/img/gcp-billing.png deleted file mode 100755 index b697c285a1..0000000000 Binary files a/packages/gcp/2.11.9/img/gcp-billing.png and /dev/null differ diff --git a/packages/gcp/2.11.9/img/gcp-compute.png b/packages/gcp/2.11.9/img/gcp-compute.png deleted file mode 100755 index d4d90d27ad..0000000000 Binary files a/packages/gcp/2.11.9/img/gcp-compute.png and /dev/null differ diff --git a/packages/gcp/2.11.9/img/logo_gcp.svg b/packages/gcp/2.11.9/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/2.11.9/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/2.11.9/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.9/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/2.11.9/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.9/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json deleted file mode 100755 index a9b37f3dfc..0000000000 --- a/packages/gcp/2.11.9/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"panelRefName\":\"panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"panelRefName\":\"panel_da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"panelRefName\":\"panel_305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"panelRefName\":\"panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"panelRefName\":\"panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"panelRefName\":\"panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:panel_02422b42-6d8c-4924-acc1-0d7f4fb9a1b1", - "type": "visualization" - }, - { - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "name": "da16e443-8524-47ea-83e1-6a16250ed61c:panel_da16e443-8524-47ea-83e1-6a16250ed61c", - "type": "visualization" - }, - { - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "name": "305f8fc3-e763-4b2c-8998-9e0e057ce713:panel_305f8fc3-e763-4b2c-8998-9e0e057ce713", - "type": "visualization" - }, - { - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "name": "e4fe30c7-906a-4878-bec7-7a78a06d98d0:panel_e4fe30c7-906a-4878-bec7-7a78a06d98d0", - "type": "visualization" - }, - { - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "name": "c2bec6ee-96e8-440c-bfa4-6e0def7b0095:panel_c2bec6ee-96e8-440c-bfa4-6e0def7b0095", - "type": "visualization" - }, - { - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "name": "fbaeaa8f-262d-41b1-a621-d6dbff52ff59:panel_fbaeaa8f-262d-41b1-a621-d6dbff52ff59", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM3OTgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.9/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 1ad9f23b5a..0000000000 --- a/packages/gcp/2.11.9/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Google Cloud Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"panelRefName\":\"panel_2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"panelRefName\":\"panel_2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"panelRefName\":\"panel_b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"panelRefName\":\"panel_9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"panelRefName\":\"panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.9.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"panelRefName\":\"panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.9.0\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Billing Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "name": "2552123b-6ad6-4d63-89c3-0672ab428580:panel_2552123b-6ad6-4d63-89c3-0672ab428580", - "type": "visualization" - }, - { - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "name": "2d3d3b79-0656-45c2-b051-4489484b625c:panel_2d3d3b79-0656-45c2-b051-4489484b625c", - "type": "lens" - }, - { - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "name": "b737e597-cc4d-4437-859c-6d491679599d:panel_b737e597-cc4d-4437-859c-6d491679599d", - "type": "lens" - }, - { - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "name": "9eedb0c7-2089-4e0f-af98-721034203aad:panel_9eedb0c7-2089-4e0f-af98-721034203aad", - "type": "lens" - }, - { - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:panel_f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", - "type": "lens" - }, - { - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:panel_991e60a8-68eb-4c2b-ac9a-b553e90dd49d", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.11.9/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/2.11.9/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 22d953a269..0000000000 --- a/packages/gcp/2.11.9/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing L3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"panelRefName\":\"panel_8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"panelRefName\":\"panel_44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"panelRefName\":\"panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"panelRefName\":\"panel_c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"panelRefName\":\"panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing L3 Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:panel_8b86e712-4709-458a-b8e9-40e79305b1aa", - "type": "visualization" - }, - { - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "name": "44d18a84-d060-4149-825d-eacc61f946f3:panel_44d18a84-d060-4149-825d-eacc61f946f3", - "type": "visualization" - }, - { - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "name": "c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86:panel_c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86", - "type": "visualization" - }, - { - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "name": "c5782327-dc55-466d-97d8-b79618f0b47a:panel_c5782327-dc55-466d-97d8-b79618f0b47a", - "type": "visualization" - }, - { - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "name": "beaf5f45-5217-4aed-b663-69e5e9ca35c3:panel_beaf5f45-5217-4aed-b663-69e5e9ca35c3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.11.9/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/2.11.9/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index f99f385850..0000000000 --- a/packages/gcp/2.11.9/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Load Balancing HTTPS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"panelRefName\":\"panel_f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"panelRefName\":\"panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"panelRefName\":\"panel_10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"panelRefName\":\"panel_e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"panelRefName\":\"panel_b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"panelRefName\":\"panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"panelRefName\":\"panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Load Balancing HTTPS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "name": "f89112f9-0f3a-4712-a317-23230cd66213:panel_f89112f9-0f3a-4712-a317-23230cd66213", - "type": "visualization" - }, - { - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "name": "8f4baaa9-6f4d-40fa-a77f-9f68f83a379c:panel_8f4baaa9-6f4d-40fa-a77f-9f68f83a379c", - "type": "visualization" - }, - { - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "name": "10490530-a766-4f87-824a-3fc18bf2e85b:panel_10490530-a766-4f87-824a-3fc18bf2e85b", - "type": "visualization" - }, - { - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "name": "e737b020-eb94-4eb1-b53d-50fa551df648:panel_e737b020-eb94-4eb1-b53d-50fa551df648", - "type": "visualization" - }, - { - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "name": "b90db52e-982e-4360-b5ed-71147ba79246:panel_b90db52e-982e-4360-b5ed-71147ba79246", - "type": "visualization" - }, - { - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "name": "a2a5c845-d426-425f-b2e6-e8df6038fd9d:panel_a2a5c845-d426-425f-b2e6-e8df6038fd9d", - "type": "visualization" - }, - { - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "name": "2bf5bf09-e743-4c6d-8251-d12c9c70f273:panel_2bf5bf09-e743-4c6d-8251-d12c9c70f273", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.9/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 7e167253d7..0000000000 --- a/packages/gcp/2.11.9/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "attributes": { - "description": "Overview of GCP Compute Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"panelRefName\":\"panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"panelRefName\":\"panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"panelRefName\":\"panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"panelRefName\":\"panel_93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"panelRefName\":\"panel_e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"panelRefName\":\"panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"panelRefName\":\"panel_00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"panelRefName\":\"panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.9.1\"}]", - "timeRestore": false, - "title": "[Metrics GCP] Compute Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", - "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", - "type": "visualization" - }, - { - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "name": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05:panel_2034fcc8-5cd7-4ee8-8c8f-99054f025b05", - "type": "visualization" - }, - { - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "name": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f:panel_5f6f2ecd-dcaf-4455-967c-ede6b38f431f", - "type": "visualization" - }, - { - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "name": "9c6f36f5-c2b2-40f5-8ee3-af6131168842:panel_9c6f36f5-c2b2-40f5-8ee3-af6131168842", - "type": "visualization" - }, - { - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "name": "93906f63-42c9-4f30-9b2c-05041a9e1efe:panel_93906f63-42c9-4f30-9b2c-05041a9e1efe", - "type": "visualization" - }, - { - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "name": "e1a4e862-dd00-409f-8746-8a8e4bc82807:panel_e1a4e862-dd00-409f-8746-8a8e4bc82807", - "type": "visualization" - }, - { - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "name": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce:panel_6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", - "type": "visualization" - }, - { - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "name": "00689e12-4cb3-49ad-ac33-dbe4279f446e:panel_00689e12-4cb3-49ad-ac33-dbe4279f446e", - "type": "visualization" - }, - { - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "name": "901e7bf5-35f5-4c1a-9627-27f6c20d2514:panel_901e7bf5-35f5-4c1a-9627-27f6c20d2514", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.9/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index a62be39b46..0000000000 --- a/packages/gcp/2.11.9/kibana/lens/gcp-057de170-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of gcp.billing.total", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "2477291e-9021-4eb2-9fce-8da1ee792c49": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost Per Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 20 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2477291e-9021-4eb2-9fce-8da1ee792c49" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "legendDisplay": "default", - "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Cost Per Project ID [Metrics GCP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-057de170-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json b/packages/gcp/2.11.9/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json deleted file mode 100755 index 6a75af55fb..0000000000 --- a/packages/gcp/2.11.9/kibana/lens/gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e12171da-25a4-41ea-86d3-8fd71205c263": { - "columnOrder": [ - "6011e524-4646-410b-8d1c-06c281e8f7ed", - "f8ab301c-f139-4573-b233-ed8a3f717e24" - ], - "columns": { - "6011e524-4646-410b-8d1c-06c281e8f7ed": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", - "type": "column" - }, - "orderDirection": "desc", - "size": 12 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "f8ab301c-f139-4573-b233-ed8a3f717e24": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6011e524-4646-410b-8d1c-06c281e8f7ed" - }, - { - "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24" - } - ], - "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263", - "layerType": "data" - } - }, - "title": "Total Cost Table [Metrics GCP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-520c6f10-ec8a-11ea-a0ed-7fe6b565d158", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.9/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 98207850ab..0000000000 --- a/packages/gcp/2.11.9/kibana/lens/gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { - "columnOrder": [ - "faaaaf23-f362-4a00-be9e-8a155208a39e", - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "columns": { - "3041fc1b-ceb8-4188-b55d-d354819f267e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "faaaaf23-f362-4a00-be9e-8a155208a39e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Project ID", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - }, - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "1164563d-d2b3-4067-bc7b-d694179182ed", - "10b91492-efef-490d-bc7a-c2074b2eae84" - ], - "columns": { - "10b91492-efef-490d-bc7a-c2074b2eae84": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "sum", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "1164563d-d2b3-4067-bc7b-d694179182ed": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "1d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", - "type": "column" - }, - "orderDirection": "desc", - "size": 15 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "3041fc1b-ceb8-4188-b55d-d354819f267e" - ], - "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", - "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Total Cost Bar Chart [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-73346db0-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.9/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 92147debf4..0000000000 --- a/packages/gcp/2.11.9/kibana/lens/gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { - "columnOrder": [ - "2f66b924-5392-4e5e-93fe-5b23a87068c1" - ], - "columns": { - "2f66b924-5392-4e5e-93fe-5b23a87068c1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", - "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "layerType": "data" - } - }, - "title": "Total Number Of Projects [Metrics GCP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-dd835300-e88f-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.9/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 502ed7d0f7..0000000000 --- a/packages/gcp/2.11.9/kibana/lens/gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ca843af-63d7-46b9-a719-51a81eebf1f7": { - "columnOrder": [ - "e25f49de-f161-4be8-a8fc-519188a7776c", - "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "columns": { - "af747bf6-66e9-4760-bbd8-3dae9c97159d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Billing Cost", - "operationType": "max", - "scale": "ratio", - "sourceField": "gcp.billing.total" - }, - "b92edf5e-58bc-4382-9cd5-19db2c332c93": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Invoice Month", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.invoice_month" - }, - "e25f49de-f161-4be8-a8fc-519188a7776c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Monthly Cost", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", - "type": "column" - }, - "orderDirection": "desc", - "size": 10 - }, - "scale": "ordinal", - "sourceField": "gcp.billing.project_id" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "af747bf6-66e9-4760-bbd8-3dae9c97159d" - ], - "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", - "layerType": "data", - "seriesType": "bar_stacked", - "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", - "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked" - } - }, - "title": "Monthly Cost Per Project [Metrics GCP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-e6933020-e88d-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "lens": "7.15.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.11.9/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/2.11.9/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.11.9/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/2.11.9/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fd06344701..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-0bd0a6e0-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 6efe6a8273..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-2f6b6740-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json b/packages/gcp/2.11.9/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json deleted file mode 100755 index ce20138e75..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-3f472ea0-5e47-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute CPU Utilization [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f472ea0-5e47-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 861368f819..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-3f4e9040-909d-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 437e049997..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-434f69f0-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-434f69f0-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.11.9/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json deleted file mode 100755 index 8156946491..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-43f45ba0-5e4a-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Received Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-43f45ba0-5e4a-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 34aca0f6fc..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-543dac40-909b-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Ingress Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-543dac40-909b-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.11.9/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json deleted file mode 100755 index 6156011102..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Account ID Filter [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-5d2f9160-e88e-11ea-bf8c-d13ebf358a78", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.9/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 3e08b8a182..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Balancing TCP SSL Proxy Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-6958ed10-a6ad-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json b/packages/gcp/2.11.9/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json deleted file mode 100755 index 1f8695114a..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-6f795e70-5e49-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Network Sent Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f795e70-5e49-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 533d332a4b..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-6f933ef0-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODcsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.9/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 0757766861..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-89513bc0-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Read I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-89513bc0-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index c8d7d7accb..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-8d4ddf40-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json b/packages/gcp/2.11.9/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json deleted file mode 100755 index 03fe7c646a..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-95e1f050-5e48-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Write I/O [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-95e1f050-5e48-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzksMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json b/packages/gcp/2.11.9/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json deleted file mode 100755 index 51078aae99..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-9d919d00-5e4d-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-9d919d00-5e4d-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.9/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 8895100042..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-afeb98a0-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.9/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 4390df28b8..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-be27b340-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-be27b340-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDQsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.9/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index fbbf68f4d4..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-c4e1e090-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 8b7e7300c9..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-d5418f80-9156-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Filters [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "gcp-d5418f80-9156-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 94a8ff52e0..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-d63465e0-9154-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Response Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-d63465e0-9154-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3OTEsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json b/packages/gcp/2.11.9/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0b505bcc4a..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Instance Uptime Gauge [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3NzYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index fa29c606c8..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-dff87070-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Count [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-dff87070-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODYsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index d80a4a76cc..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-e562eb50-909a-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing L3 Egress Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-e562eb50-909a-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:11.683Z", - "version": "WzM3OTUsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.11.9/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json deleted file mode 100755 index 441aac75ab..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-eb891a20-9155-11ea-8180-7b0dacd9df87.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing HTTPS Backend Request Bytes [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eb891a20-9155-11ea-8180-7b0dacd9df87", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:10.632Z", - "version": "WzM3ODgsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.9/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 108030f799..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy New Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-eed05d80-a6ac-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDIsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json b/packages/gcp/2.11.9/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json deleted file mode 100755 index fa3f3fa3e8..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-ef1508c0-5e4c-11ea-a4f6-717338406083.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Compute Firewall Dropped Packets [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-ef1508c0-5e4c-11ea-a4f6-717338406083", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:09.611Z", - "version": "WzM3ODMsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json b/packages/gcp/2.11.9/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json deleted file mode 100755 index 214ee0c212..0000000000 --- a/packages/gcp/2.11.9/kibana/visualization/gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "gcp-f86c26f0-a6aa-11ea-950e-d57608e3aa51", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2021-08-04T16:31:12.649Z", - "version": "WzM4MDAsMV0=" -} \ No newline at end of file diff --git a/packages/gcp/2.11.9/manifest.yml b/packages/gcp/2.11.9/manifest.yml deleted file mode 100755 index 773a9108da..0000000000 --- a/packages/gcp/2.11.9/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "2.11.9" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud -conditions: - kibana.version: ^7.17.6 || ^8.3.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png -vars: - - name: project_id - type: text - title: Project Id - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials Json - multi: false - required: false - show_user: true -policy_templates: - - name: audit - title: Google Cloud Platform (GCP) Audit logs - description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - security - data_streams: - - audit - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" - description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png - - name: firewall - title: Google Cloud Platform (GCP) Firewall logs - description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - firewall - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" - description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: vpcflow - title: Google Cloud Platform (GCP) VPC Flow logs - description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - vpcflow - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" - description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: dns - title: Google Cloud Platform (GCP) DNS logs - description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent - categories: - - network - - security - data_streams: - - dns - inputs: - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" - description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" - input_group: logs - - name: billing - title: Google Cloud Platform (GCP) Billing metrics - description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - billing - inputs: - - type: gcp/metrics - title: Collect GCP Billing Metrics - description: Collect GCP Billing Metrics - input_group: metrics - screenshots: - - src: /img/gcp-billing.png - title: GCP Billing Metrics Dashboard - size: 2000x1020 - type: image/png - - name: compute - title: Google Cloud Platform (GCP) Compute metrics - description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - compute - inputs: - - type: gcp/metrics - title: Collect GCP Compute Metrics - description: Collect GCP Compute Metrics - input_group: metrics - screenshots: - - src: /img/gcp-compute.png - title: GCP Compute Metrics Dashboard - size: 2000x2021 - type: image/png - - name: firestore - title: Google Cloud Platform (GCP) Firestore metrics - description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - firestore - inputs: - - type: gcp/metrics - title: Collect GCP Firestore Metrics - description: Collect GCP Firestore Metrics - input_group: metrics - - name: loadbalancing - title: Google Cloud Platform (GCP) Load Balancing metrics - description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - loadbalancing_metrics - - loadbalancing_logs - inputs: - - type: gcp/metrics - title: Collect GCP Load Balancing Metrics - description: Collect GCP Load Balancing Metrics - input_group: metrics - - type: gcp-pubsub - title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" - description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" - input_group: logs - - name: storage - title: Google Cloud Platform (GCP) Storage metrics - description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - storage - inputs: - - type: gcp/metrics - title: Collect GCP Storage Metrics - description: Collect GCP Storage Metrics - input_group: metrics - - name: gke - title: Google Cloud Platform (GCP) GKE metrics - description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - gke - inputs: - - type: gcp/metrics - title: Collect GCP GKE Metrics - description: Collect GCP GKE Metrics - input_group: metrics - - name: dataproc - title: Google Cloud Platform (GCP) Dataproc metrics - description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - dataproc - inputs: - - type: gcp/metrics - title: Collect GCP Dataproc Metrics - description: Collect GCP Dataproc Metrics - input_group: metrics - - name: pubsub - title: Google Cloud Platform (GCP) PubSub metrics - description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent - data_streams: - - pubsub - inputs: - - type: gcp/metrics - title: Collect GCP PubSub Metrics - description: Collect GCP PubSub Metrics -owner: - github: elastic/security-external-integrations diff --git a/packages/infoblox_bloxone_ddi/0.1.1/LICENSE.txt b/packages/infoblox_bloxone_ddi/0.1.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/infoblox_bloxone_ddi/0.1.1/changelog.yml b/packages/infoblox_bloxone_ddi/0.1.1/changelog.yml deleted file mode 100755 index 38f8bf5e7f..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/changelog.yml +++ /dev/null @@ -1,11 +0,0 @@ -# newer versions go on top -- version: '0.1.1' - changes: - - description: Fix documentation build error. - type: bugfix - link: https://github.com/elastic/integrations/pull/4369 -- version: '0.1.0' - changes: - - description: Initial Release. - type: enhancement - link: https://github.com/elastic/integrations/pull/4118 diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/agent/stream/httpjson.yml.hbs b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/agent/stream/httpjson.yml.hbs deleted file mode 100755 index aefcd7c934..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,54 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/api/ddi/v1/dhcp/lease -request.transforms: - - set: - target: header.Authorization - value: 'Token {{api_key}}' - - set: - target: url.params._offset - value: 0 - - set: - target: url.params._limit - value: 100 - - set: - target: url.params._order_by - value: 'last_updated asc' - - set: - target: url.params._filter - value: 'last_updated>="[[(formatDate (parseDate .cursor.last_updated_at) "2006-01-02T15:04:05.999Z")]]"' - default: 'last_updated>="[[(formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.999Z")]]"' -response.pagination: - - set: - target: url.params._offset - value: '[[if (eq (len .last_response.body.results) 100)]][[add (toInt (.last_response.url.params.Get "_offset")) 100]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_updated_at: - value: '[[.last_event.last_updated]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b0f1d73624..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,244 +0,0 @@ ---- -description: Pipeline for parsing DHCP lease logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [network] - - set: - field: event.type - value: [protocol] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.starts - - json.last_updated - - json.ends - target_field: _id - ignore_missing: true - - convert: - field: json.address - target_field: infoblox_bloxone_ddi.dhcp_lease.address - if: ctx.json?.address != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.ip - value: '{{{infoblox_bloxone_ddi.dhcp_lease.address}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.client_id - target_field: infoblox_bloxone_ddi.dhcp_lease.client_id - ignore_missing: true - - set: - field: client.user.id - copy_from: infoblox_bloxone_ddi.dhcp_lease.client_id - ignore_failure: true - - date: - field: json.ends - target_field: infoblox_bloxone_ddi.dhcp_lease.ends - if: ctx.json?.ends != null && ctx.json.ends != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.end - copy_from: infoblox_bloxone_ddi.dhcp_lease.ends - ignore_failure: true - - rename: - field: json.fingerprint - target_field: infoblox_bloxone_ddi.dhcp_lease.fingerprint.value - ignore_missing: true - - rename: - field: json.fingerprint_processed - target_field: infoblox_bloxone_ddi.dhcp_lease.fingerprint.processed - ignore_missing: true - - rename: - field: json.ha_group - target_field: infoblox_bloxone_ddi.dhcp_lease.ha_group - ignore_missing: true - - gsub: - field: json.hardware - pattern: '[:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: json.hardware - ignore_missing: true - - rename: - field: json.hardware - target_field: infoblox_bloxone_ddi.dhcp_lease.hardware - ignore_missing: true - - rename: - field: json.host - target_field: infoblox_bloxone_ddi.dhcp_lease.host - ignore_missing: true - - set: - field: host.name - copy_from: infoblox_bloxone_ddi.dhcp_lease.host - ignore_failure: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.hostname - target_field: infoblox_bloxone_ddi.dhcp_lease.hostname - ignore_missing: true - - set: - field: host.hostname - copy_from: infoblox_bloxone_ddi.dhcp_lease.hostname - ignore_failure: true - - append: - field: related.hosts - value: '{{{host.hostname}}}' - if: ctx.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.iaid - target_field: infoblox_bloxone_ddi.dhcp_lease.iaid - if: ctx.json?.iaid != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.last_updated - target_field: infoblox_bloxone_ddi.dhcp_lease.last_updated - if: ctx.json?.last_updated != null && ctx.json.last_updated != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: infoblox_bloxone_ddi.dhcp_lease.last_updated - ignore_failure: true - - rename: - field: json.options - target_field: infoblox_bloxone_ddi.dhcp_lease.options - ignore_missing: true - - date: - field: json.preferred_lifetime - target_field: infoblox_bloxone_ddi.dhcp_lease.preferred_lifetime - if: ctx.json?.preferred_lifetime != null && ctx.json.preferred_lifetime != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: json.protocol - value: ipv4 - if: ctx.json?.protocol == 'ip4' - ignore_failure: true - - set: - field: json.protocol - value: ipv6 - if: ctx.json?.protocol == 'ip6' - ignore_failure: true - - rename: - field: json.protocol - target_field: infoblox_bloxone_ddi.dhcp_lease.protocol - ignore_missing: true - - set: - field: network.type - copy_from: infoblox_bloxone_ddi.dhcp_lease.protocol - ignore_failure: true - - lowercase: - field: network.type - ignore_failure: true - - rename: - field: json.space - target_field: infoblox_bloxone_ddi.dhcp_lease.space - ignore_missing: true - - date: - field: json.starts - target_field: infoblox_bloxone_ddi.dhcp_lease.starts - if: ctx.json?.starts != null && ctx.json.starts != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.start - copy_from: infoblox_bloxone_ddi.dhcp_lease.starts - ignore_failure: true - - rename: - field: json.state - target_field: infoblox_bloxone_ddi.dhcp_lease.state - ignore_missing: true - - rename: - field: json.type - target_field: infoblox_bloxone_ddi.dhcp_lease.type - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - infoblox_bloxone_ddi.dhcp_lease.last_updated - - infoblox_bloxone_ddi.dhcp_lease.client_id - - infoblox_bloxone_ddi.dhcp_lease.ends - - infoblox_bloxone_ddi.dhcp_lease.starts - - infoblox_bloxone_ddi.dhcp_lease.hostname - - infoblox_bloxone_ddi.dhcp_lease.host - - infoblox_bloxone_ddi.dhcp_lease.protocol - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/agent.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/base-fields.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/base-fields.yml deleted file mode 100755 index 4b10727c63..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: infoblox_bloxone_ddi -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: infoblox_bloxone_ddi.dhcp_lease diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/ecs.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/ecs.yml deleted file mode 100755 index 36437b3e68..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/ecs.yml +++ /dev/null @@ -1,80 +0,0 @@ -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/fields.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/fields.yml deleted file mode 100755 index 2aa51045d1..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: infoblox_bloxone_ddi.dhcp_lease - type: group - fields: - - name: address - type: ip - description: The IP address of the DHCP lease in the format "a.b.c.d". This address will be marked as leased in IPAM while the lease exists. - - name: client_id - type: keyword - description: The client ID of the DHCP lease. It might be empty. - - name: ends - type: date - description: The time when the DHCP lease will expire. - - name: fingerprint - type: group - fields: - - name: processed - type: keyword - description: Indicates if the DHCP lease has been fingerprinted. - - name: value - type: keyword - description: The DHCP fingerprint of the lease. - - name: ha_group - type: keyword - description: The resource identifier. - - name: hardware - type: keyword - description: The hardware address of the DHCP lease. This specifies the MAC address of the network interface on which the lease will be used. It consists of six groups of two hex digits in lower-case separated by colons. For example, "aa:bb:cc:dd:ee:ff". - - name: host - type: keyword - description: The resource identifier. - - name: hostname - type: keyword - description: The client hostname of the DHCP lease. This specifies the host name that the DHCP client sends to the DHCP server using DHCP option 12. It is a fully qualified domain name, consisting of a series of labels separated by dots. For example, "www.infoblox.com". It might be empty. - - name: iaid - type: long - description: Identity Association Identifier (IAID) of the lease. Applicable only for DHCPv6. - - name: last_updated - type: date - description: The time when the DHCP lease was last updated. - - name: options - type: flattened - description: The DHCP options of the lease in JSON format. - - name: preferred_lifetime - type: date - description: The preferred time when the DHCP lease should expire. Applicable only for DHCPv6. - - name: protocol - type: keyword - description: Lease protocol type. - - name: space - type: keyword - description: The resource identifier. - - name: starts - type: date - description: The time when the DHCP lease was issued. - - name: state - type: keyword - description: The state of the DHCP lease. - - name: type - type: keyword - description: Lease type. diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/manifest.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/manifest.yml deleted file mode 100755 index 1b94fb56d2..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/manifest.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Collect DHCP Lease logs from Infoblox BloxOne DDI -type: logs -streams: - - input: httpjson - title: DHCP Lease logs - description: Collect DHCP Lease logs from Infoblox BloxOne DDI. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the DHCP Lease events from Infoblox BloxOne DDI. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Infoblox BloxOne DDI API. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - infoblox_bloxone_ddi_dhcp_lease - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/sample_event.json b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/sample_event.json deleted file mode 100755 index 9af8ef3ada..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dhcp_lease/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "@timestamp": "2022-07-11T11:51:15.417Z", - "agent": { - "ephemeral_id": "a4b27e2a-c005-43ce-9542-7548dcc7b414", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "id": "abc3212abc" - } - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dhcp_lease", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-09-22T08:27:40.118Z", - "dataset": "infoblox_bloxone_ddi.dhcp_lease", - "end": "2022-07-11T11:51:15.417Z", - "ingested": "2022-09-22T08:27:43Z", - "kind": "event", - "original": "{\"address\":\"81.2.69.192\",\"client_id\":\"abc3212abc\",\"ends\":\"2022-07-11T11:51:15.417Z\",\"fingerprint\":\"ab3213cbabab/abc23bca\",\"fingerprint_processed\":\"12abca32bca32abcd\",\"ha_group\":\"abc321cdcbda321\",\"hardware\":\"00:00:5E:00:53:00\",\"host\":\"admin\",\"hostname\":\"Host1\",\"iaid\":0,\"last_updated\":\"2022-07-11T11:51:15.417Z\",\"options\":{\"message\":\"Hello\"},\"preferred_lifetime\":\"2022-07-11T11:51:15.417Z\",\"protocol\":\"ip4\",\"space\":\"DHCP lease Space\",\"starts\":\"2022-07-14T11:51:15.417Z\",\"state\":\"used\",\"type\":\"DHCP lease Type\"}", - "start": "2022-07-14T11:51:15.417Z", - "type": [ - "protocol" - ] - }, - "host": { - "hostname": "Host1", - "name": "admin" - }, - "infoblox_bloxone_ddi": { - "dhcp_lease": { - "address": "81.2.69.192", - "client_id": "abc3212abc", - "ends": "2022-07-11T11:51:15.417Z", - "fingerprint": { - "processed": "12abca32bca32abcd", - "value": "ab3213cbabab/abc23bca" - }, - "ha_group": "abc321cdcbda321", - "hardware": "00-00-5E-00-53-00", - "host": "admin", - "hostname": "Host1", - "iaid": 0, - "last_updated": "2022-07-11T11:51:15.417Z", - "options": { - "message": "Hello" - }, - "preferred_lifetime": "2022-07-11T11:51:15.417Z", - "protocol": "ipv4", - "space": "DHCP lease Space", - "starts": "2022-07-14T11:51:15.417Z", - "state": "used", - "type": "DHCP lease Type" - } - }, - "input": { - "type": "httpjson" - }, - "network": { - "type": "ipv4" - }, - "related": { - "hosts": [ - "admin", - "Host1" - ], - "ip": [ - "81.2.69.192" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "infoblox_bloxone_ddi_dhcp_lease" - ] -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/agent/stream/httpjson.yml.hbs b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/agent/stream/httpjson.yml.hbs deleted file mode 100755 index a0e6e01a69..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,54 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/api/ddi/v1/dns/view -request.transforms: - - set: - target: header.Authorization - value: 'Token {{api_key}}' - - set: - target: url.params._offset - value: 0 - - set: - target: url.params._limit - value: 100 - - set: - target: url.params._order_by - value: 'updated_at asc' - - set: - target: url.params._filter - value: 'updated_at>="[[(formatDate (parseDate .cursor.last_updated_at) "2006-01-02T15:04:05.999Z")]]"' - default: 'updated_at>="[[(formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.999Z")]]"' -response.pagination: - - set: - target: url.params._offset - value: '[[if (eq (len .last_response.body.results) 100)]][[add (toInt (.last_response.url.params.Get "_offset")) 100]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_updated_at: - value: '[[.last_event.updated_at]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0e61d025ff..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1993 +0,0 @@ ---- -description: Pipeline for parsing DNS config logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [network] - - set: - field: event.type - value: [protocol] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.created_at - - json.updated_at - - json.id - target_field: _id - ignore_missing: true - - convert: - field: json.add_edns_option_in_outgoing_query - target_field: infoblox_bloxone_ddi.dns_config.add_edns.option_in.outgoing_query - if: ctx.json?.add_edns_option_in_outgoing_query != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.comment - target_field: infoblox_bloxone_ddi.dns_config.comment - ignore_missing: true - - date: - field: json.created_at - target_field: infoblox_bloxone_ddi.dns_config.created_at - if: ctx.json?.created_at != null && ctx.json.created_at != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.created - copy_from: infoblox_bloxone_ddi.dns_config.created_at - ignore_failure: true - - foreach: - field: json.custom_root_ns - if: ctx.json?.custom_root_ns instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.custom_root_ns - if: ctx.json?.custom_root_ns instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.custom_root_ns - if: ctx.json?.custom_root_ns instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.custom_root_ns - target_field: infoblox_bloxone_ddi.dns_config.custom_root_ns - ignore_missing: true - - convert: - field: json.custom_root_ns_enabled - target_field: infoblox_bloxone_ddi.dns_config.custom_root_ns_enabled - if: ctx.json?.custom_root_ns_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.disabled - target_field: infoblox_bloxone_ddi.dns_config.disabled - if: ctx.json?.disabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.dnssec_enable_validation - target_field: infoblox_bloxone_ddi.dns_config.dnssec.enable_validation - if: ctx.json?.dnssec_enable_validation != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.dnssec_enabled - target_field: infoblox_bloxone_ddi.dns_config.dnssec.enabled - if: ctx.json?.dnssec_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.dnssec_root_keys - if: ctx.json?.dnssec_root_keys instanceof List - processor: - convert: - field: _ingest._value.algorithm - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.algorithm - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_root_keys - if: ctx.json?.dnssec_root_keys instanceof List - processor: - rename: - field: _ingest._value.protocol_zone - target_field: _ingest._value.protocol.zone - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_root_keys - if: ctx.json?.dnssec_root_keys instanceof List - processor: - rename: - field: _ingest._value.public_key - target_field: _ingest._value.public - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_root_keys - if: ctx.json?.dnssec_root_keys instanceof List - processor: - convert: - field: _ingest._value.sep - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.sep - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - rename: - field: json.dnssec_root_keys - target_field: infoblox_bloxone_ddi.dns_config.dnssec.root_keys - ignore_missing: true - - foreach: - field: json.dnssec_trust_anchors - if: ctx.json?.dnssec_trust_anchors instanceof List - processor: - convert: - field: _ingest._value.algorithm - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.algorithm - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_trust_anchors - if: ctx.json?.dnssec_trust_anchors instanceof List - processor: - rename: - field: _ingest._value.protocol_zone - target_field: _ingest._value.protocol.zone - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_trust_anchors - if: ctx.json?.dnssec_trust_anchors instanceof List - processor: - convert: - field: _ingest._value.sep - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.sep - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - rename: - field: json.dnssec_trust_anchors - target_field: infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors - ignore_missing: true - - convert: - field: json.dnssec_validate_expiry - target_field: infoblox_bloxone_ddi.dns_config.dnssec.validate_expiry - if: ctx.json?.dnssec_validate_expiry != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ecs_enabled - target_field: infoblox_bloxone_ddi.dns_config.ecs.enabled - if: ctx.json?.ecs_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ecs_forwarding - target_field: infoblox_bloxone_ddi.dns_config.ecs.forwarding - if: ctx.json?.ecs_forwarding != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ecs_prefix_v4 - target_field: infoblox_bloxone_ddi.dns_config.ecs.prefix_v4 - if: ctx.json?.ecs_prefix_v4 != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ecs_prefix_v6 - target_field: infoblox_bloxone_ddi.dns_config.ecs.prefix_v6 - if: ctx.json?.ecs_prefix_v6 != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.ecs_zones - if: ctx.json?.ecs_zones instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.ecs_zones - target_field: infoblox_bloxone_ddi.dns_config.ecs.zones - ignore_missing: true - - convert: - field: json.edns_udp_size - target_field: infoblox_bloxone_ddi.dns_config.edns.udp.size - if: ctx.json?.edns_udp_size != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.forwarders - if: ctx.json?.forwarders instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.forwarders - if: ctx.json?.forwarders instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.forwarders - if: ctx.json?.forwarders instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.forwarders - target_field: infoblox_bloxone_ddi.dns_config.forwarders - ignore_missing: true - - convert: - field: json.forwarders_only - target_field: infoblox_bloxone_ddi.dns_config.forwarders_only - if: ctx.json?.forwarders_only != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.gss_tsig_enabled - target_field: infoblox_bloxone_ddi.dns_config.gss_tsig_enabled - if: ctx.json?.gss_tsig_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.id - target_field: infoblox_bloxone_ddi.dns_config.id - ignore_missing: true - - set: - field: event.id - copy_from: infoblox_bloxone_ddi.dns_config.id - ignore_failure: true - - rename: - field: json.inheritance_sources.add_edns_option_in_outgoing_query.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.action - ignore_missing: true - - rename: - field: json.inheritance_sources.add_edns_option_in_outgoing_query.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.add_edns_option_in_outgoing_query.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.source - ignore_missing: true - - convert: - field: json.inheritance_sources.add_edns_option_in_outgoing_query.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.value - if: ctx.json?.inheritance_sources?.add_edns_option_in_outgoing_query?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.custom_root_ns_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.custom_root_ns_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.custom_root_ns_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns - if: ctx.json?.inheritance_sources?.custom_root_ns_block?.value?.custom_root_ns instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns - if: ctx.json?.inheritance_sources?.custom_root_ns_block?.value?.custom_root_ns instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns - if: ctx.json?.inheritance_sources?.custom_root_ns_block?.value?.custom_root_ns instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value - ignore_missing: true - - convert: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns_enabled - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value_enabled - if: ctx.json?.inheritance_sources?.custom_root_ns_block?.value?.custom_root_ns_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.dnssec_validation_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.dnssec_validation_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.dnssec_validation_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.source - ignore_missing: true - - convert: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_enable_validation - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.enable - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_enable_validation != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_enabled - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.enabled - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_trust_anchors - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_trust_anchors instanceof List - processor: - convert: - field: _ingest._value.algorithm - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.algorithm - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_trust_anchors - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_trust_anchors instanceof List - processor: - rename: - field: _ingest._value.protocol_zone - target_field: _ingest._value.protocol.zone - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_trust_anchors - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_trust_anchors instanceof List - processor: - convert: - field: _ingest._value.sep - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.sep - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_trust_anchors - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors - ignore_missing: true - - convert: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_validate_expiry - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.validate_expiry - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_validate_expiry != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.ecs_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.ecs_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.ecs_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.source - ignore_missing: true - - convert: - field: json.inheritance_sources.ecs_block.value.ecs_enabled - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.enabled - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.inheritance_sources.ecs_block.value.ecs_forwarding - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.forwarding - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_forwarding != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.inheritance_sources.ecs_block.value.ecs_prefix_v4 - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.prefix_v4 - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_prefix_v4 != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.inheritance_sources.ecs_block.value.ecs_prefix_v6 - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.prefix_v6 - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_prefix_v6 != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.inheritance_sources.ecs_block.value.ecs_zones - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_zones instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.ecs_block.value.ecs_zones - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.zones - ignore_missing: true - - rename: - field: json.inheritance_sources.edns_udp_size.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.action - ignore_missing: true - - rename: - field: json.inheritance_sources.edns_udp_size.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.edns_udp_size.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.source - ignore_missing: true - - convert: - field: json.inheritance_sources.edns_udp_size.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.value - if: ctx.json?.inheritance_sources?.edns_udp_size?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.forwarders_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.forwarders_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.forwarders_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.forwarders_block.value.forwarders - if: ctx.json?.inheritance_sources?.forwarders_block?.value?.forwarders instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.forwarders_block.value.forwarders - if: ctx.json?.inheritance_sources?.forwarders_block?.value?.forwarders instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.forwarders_block.value.forwarders - if: ctx.json?.inheritance_sources?.forwarders_block?.value?.forwarders instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.forwarders_block.value.forwarders - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value - ignore_missing: true - - convert: - field: json.inheritance_sources.forwarders_block.value.forwarders_only - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value_only - if: ctx.json?.inheritance_sources?.forwarders_block?.value?.forwarders_only != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.gss_tsig_enabled.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.action - ignore_missing: true - - rename: - field: json.inheritance_sources.gss_tsig_enabled.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.gss_tsig_enabled.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.source - ignore_missing: true - - convert: - field: json.inheritance_sources.gss_tsig_enabled.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.value - if: ctx.json?.inheritance_sources?.gss_tsig_enabled?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.lame_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.lame_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.lame_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.lame_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.value - if: ctx.json?.inheritance_sources?.lame_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.match_recursive_only.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.action - ignore_missing: true - - rename: - field: json.inheritance_sources.match_recursive_only.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.match_recursive_only.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.source - ignore_missing: true - - convert: - field: json.inheritance_sources.match_recursive_only.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.value - if: ctx.json?.inheritance_sources?.match_recursive_only?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.max_cache_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.max_cache_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.max_cache_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.max_cache_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.value - if: ctx.json?.inheritance_sources?.max_cache_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.max_negative_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.max_negative_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.max_negative_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.max_negative_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.value - if: ctx.json?.inheritance_sources?.max_negative_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.max_udp_size.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.action - ignore_missing: true - - rename: - field: json.inheritance_sources.max_udp_size.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.max_udp_size.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.source - ignore_missing: true - - convert: - field: json.inheritance_sources.max_udp_size.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.value - if: ctx.json?.inheritance_sources?.max_udp_size?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.minimal_responses.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.action - ignore_missing: true - - rename: - field: json.inheritance_sources.minimal_responses.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.minimal_responses.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.source - ignore_missing: true - - convert: - field: json.inheritance_sources.minimal_responses.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.value - if: ctx.json?.inheritance_sources?.minimal_responses?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.notify.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.action - ignore_missing: true - - rename: - field: json.inheritance_sources.notify.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.notify.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.source - ignore_missing: true - - convert: - field: json.inheritance_sources.notify.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.value - if: ctx.json?.inheritance_sources?.notify?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.query_acl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.query_acl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.query_acl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.query_acl.value - if: ctx.json?.inheritance_sources?.query_acl?.value instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.query_acl.value - if: ctx.json?.inheritance_sources?.query_acl?.value instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.query_acl.value - if: ctx.json?.inheritance_sources?.query_acl?.value instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.query_acl.value - if: ctx.json?.inheritance_sources?.query_acl?.value instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.query_acl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_acl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_acl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_acl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.recursion_acl.value - if: ctx.json?.inheritance_sources?.recursion_acl?.value instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.recursion_acl.value - if: ctx.json?.inheritance_sources?.recursion_acl?.value instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.recursion_acl.value - if: ctx.json?.inheritance_sources?.recursion_acl?.value instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.recursion_acl.value - if: ctx.json?.inheritance_sources?.recursion_acl?.value instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.recursion_acl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_enabled.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.action - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_enabled.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_enabled.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.source - ignore_missing: true - - convert: - field: json.inheritance_sources.recursion_enabled.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.value - if: ctx.json?.inheritance_sources?.recursion_enabled?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.synthesize_address_records_from_https.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.action - ignore_missing: true - - rename: - field: json.inheritance_sources.synthesize_address_records_from_https.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.synthesize_address_records_from_https.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.name - ignore_missing: true - - convert: - field: json.inheritance_sources.synthesize_address_records_from_https.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.value - if: ctx.json?.inheritance_sources?.synthesize_address_records_from_https?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.transfer_acl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.transfer_acl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.transfer_acl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.transfer_acl.value - if: ctx.json?.inheritance_sources?.transfer_acl?.value instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.transfer_acl.value - if: ctx.json?.inheritance_sources?.transfer_acl?.value instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.transfer_acl.value - if: ctx.json?.inheritance_sources?.transfer_acl?.value instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.transfer_acl.value - if: ctx.json?.inheritance_sources?.transfer_acl?.value instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.transfer_acl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value - ignore_missing: true - - rename: - field: json.inheritance_sources.update_acl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.update_acl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.update_acl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.update_acl.value - if: ctx.json?.inheritance_sources?.update_acl?.value instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.update_acl.value - if: ctx.json?.inheritance_sources?.update_acl?.value instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.update_acl.value - if: ctx.json?.inheritance_sources?.update_acl?.value instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.update_acl.value - if: ctx.json?.inheritance_sources?.update_acl?.value instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.update_acl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value - ignore_missing: true - - rename: - field: json.inheritance_sources.use_forwarders_for_subzones.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.action - ignore_missing: true - - rename: - field: json.inheritance_sources.use_forwarders_for_subzones.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.use_forwarders_for_subzones.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.source - ignore_missing: true - - convert: - field: json.inheritance_sources.use_forwarders_for_subzones.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.value - if: ctx.json?.inheritance_sources?.use_forwarders_for_subzones?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.default_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.default_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.default_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.default_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.value - if: ctx.json?.inheritance_sources?.zone_authority?.default_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.expire.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.expire.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.expire.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.expire.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.value - if: ctx.json?.inheritance_sources?.zone_authority?.expire?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.mname_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.mname_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.mname_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.source - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.mname_block.value.mname - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block_value - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.mname_block.value.protocol_mname - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.value.protocol.mname - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.mname_block.value.use_default_mname - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.value.isdefault - if: ctx.json?.inheritance_sources?.zone_authority?.mname_block?.value?.use_default_mname != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.negative_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.negative_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.negative_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.negative_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.value - if: ctx.json?.inheritance_sources?.zone_authority?.negative_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.protocol_rname.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.protocol_rname.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.protocol_rname.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.source - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.protocol_rname.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.value - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.refresh.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.refresh.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.refresh.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.refresh.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.value - if: ctx.json?.inheritance_sources?.zone_authority?.refresh?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.retry.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.retry.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.retry.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.retry.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.value - if: ctx.json?.inheritance_sources?.zone_authority?.retry?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.rname.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.rname.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.rname.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.source - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.rname.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.value - ignore_missing: true - - rename: - field: json.ip_spaces - target_field: infoblox_bloxone_ddi.dns_config.ip_spaces - ignore_missing: true - - convert: - field: json.lame_ttl - target_field: infoblox_bloxone_ddi.dns_config.lame_ttl - if: ctx.json?.lame_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: dns.answers.ttl - copy_from: infoblox_bloxone_ddi.dns_config.lame_ttl - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.match_clients_acl - target_field: infoblox_bloxone_ddi.dns_config.match_clients_acl - ignore_missing: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.match_destinations_acl - target_field: infoblox_bloxone_ddi.dns_config.match_destinations_acl - ignore_missing: true - - convert: - field: json.match_recursive_only - target_field: infoblox_bloxone_ddi.dns_config.match_recursive_only - if: ctx.json?.match_recursive_only != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.max_cache_ttl - target_field: infoblox_bloxone_ddi.dns_config.max_cache_ttl - if: ctx.json?.max_cache_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.max_negative_ttl - target_field: infoblox_bloxone_ddi.dns_config.max_negative_ttl - if: ctx.json?.max_negative_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.max_udp_size - target_field: infoblox_bloxone_ddi.dns_config.max_udp_size - if: ctx.json?.max_udp_size != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.minimal_responses - target_field: infoblox_bloxone_ddi.dns_config.minimal_responses - if: ctx.json?.minimal_responses != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.name - target_field: infoblox_bloxone_ddi.dns_config.name - ignore_missing: true - - convert: - field: json.notify - target_field: infoblox_bloxone_ddi.dns_config.notify - if: ctx.json?.notify != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.query_acl - target_field: infoblox_bloxone_ddi.dns_config.query_acl - ignore_missing: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.recursion_acl - target_field: infoblox_bloxone_ddi.dns_config.recursion_acl - ignore_missing: true - - convert: - field: json.recursion_enabled - target_field: infoblox_bloxone_ddi.dns_config.recursion_enabled - if: ctx.json?.recursion_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.synthesize_address_records_from_https - target_field: infoblox_bloxone_ddi.dns_config.synthesize.address_records_from_https - if: ctx.json?.synthesize_address_records_from_https != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.tags - target_field: infoblox_bloxone_ddi.dns_config.tags - ignore_missing: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.transfer_acl - target_field: infoblox_bloxone_ddi.dns_config.transfer_acl - ignore_missing: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.update_acl - target_field: infoblox_bloxone_ddi.dns_config.update_acl - ignore_missing: true - - date: - field: json.updated_at - target_field: infoblox_bloxone_ddi.dns_config.updated_at - if: ctx.json?.updated_at != null && ctx.json.updated_at != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: infoblox_bloxone_ddi.dns_config.updated_at - ignore_failure: true - - convert: - field: json.use_forwarders_for_subzones - target_field: infoblox_bloxone_ddi.dns_config.use_forwarders_for_subzones - if: ctx.json?.use_forwarders_for_subzones != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.zone_authority.default_ttl - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.default_ttl - if: ctx.json?.zone_authority?.default_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.zone_authority.expire - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.expire - if: ctx.json?.zone_authority?.expire != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.zone_authority.mname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.mname - ignore_missing: true - - convert: - field: json.zone_authority.negative_ttl - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.negative_ttl - if: ctx.json?.zone_authority?.negative_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.zone_authority.protocol_mname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.protocol.mname - ignore_missing: true - - rename: - field: json.zone_authority.protocol_rname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.protocol.rname - ignore_missing: true - - convert: - field: json.zone_authority.refresh - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.refresh - if: ctx.json?.zone_authority?.refresh != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.zone_authority.retry - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.retry - if: ctx.json?.zone_authority?.retry != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.zone_authority.rname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.rname - ignore_missing: true - - convert: - field: json.zone_authority.use_default_mname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.use_default_mname - if: ctx.json?.zone_authority?.use_default_mname != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - remove: - field: json - ignore_missing: true - - remove: - field: - - infoblox_bloxone_ddi.dns_config.updated_at - - infoblox_bloxone_ddi.dns_config.lame_ttl - - infoblox_bloxone_ddi.dns_config.created_at - - infoblox_bloxone_ddi.dns_config.id - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/agent.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/base-fields.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/base-fields.yml deleted file mode 100755 index f98584bba2..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: infoblox_bloxone_ddi -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: infoblox_bloxone_ddi.dns_config diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/ecs.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/ecs.yml deleted file mode 100755 index bcb862f2c4..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/ecs.yml +++ /dev/null @@ -1,62 +0,0 @@ -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/fields.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/fields.yml deleted file mode 100755 index 423cf2bcc0..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/fields/fields.yml +++ /dev/null @@ -1,1276 +0,0 @@ -- name: infoblox_bloxone_ddi.dns_config - type: group - fields: - - name: add_edns - type: group - fields: - - name: option_in - type: group - fields: - - name: outgoing_query - type: boolean - description: add_edns_option_in_outgoing_query adds client IP, MAC address and view name into outgoing recursive query. - - name: comment - type: keyword - description: Optional. Comment for view. - - name: created_at - type: date - description: The timestamp when the object has been created. - - name: custom_root_ns_enabled - type: boolean - description: Optional. true to use custom root nameservers instead of the default ones. - - name: custom_root_ns - type: group - description: List of custom root nameservers. The order does not matter. - fields: - - name: address - type: ip - description: IPv4 address. - - name: fqdn - type: keyword - description: FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: FQDN in punycode. - - name: disabled - type: boolean - description: Optional. true to disable object. A disabled object is effectively non-existent when generating configuration. - - name: dnssec - type: group - fields: - - name: enable_validation - type: boolean - description: Optional. true to perform DNSSEC validation. - - name: enabled - type: boolean - description: Optional. Master toggle for all DNSSEC processing. - - name: root_keys - type: group - fields: - - name: algorithm - type: long - description: Key algorithm. Algorithm values are as per standards. - - name: protocol - type: group - fields: - - name: zone - type: keyword - description: Zone FQDN in punycode. - - name: public - type: keyword - description: DNSSEC key data. Non-empty, valid base64 string. - - name: sep - type: boolean - description: Optional. Secure Entry Point flag. - - name: zone - type: keyword - description: Zone FQDN. - - name: trust_anchors - type: group - fields: - - name: algorithm - type: long - description: Key algorithm. Algorithm values are as per standards. - - name: protocol - type: group - fields: - - name: zone - type: keyword - description: Zone FQDN in punycode. - - name: public_key - type: keyword - description: DNSSEC key data. Non-empty, valid base64 string. - - name: sep - type: boolean - description: Optional. Secure Entry Point flag. - - name: zone - type: keyword - description: Zone FQDN. - - name: validate_expiry - type: boolean - description: Optional. true to reject expired DNSSEC keys. - - name: ecs - type: group - fields: - - name: enabled - type: boolean - description: Optional. true to enable EDNS client subnet for recursive queries. - - name: forwarding - type: boolean - description: Optional. true to enable ECS options in outbound queries. This functionality has additional overhead so it is disabled by default. - - name: prefix_v4 - type: long - description: Optional. Maximum scope length for v4 ECS. - - name: prefix_v6 - type: long - description: Optional. Maximum scope length for v6 ECS. - - name: zones - type: group - fields: - - name: access - type: keyword - description: Access control for zone. - - name: fqdn - type: keyword - description: Zone FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: Zone FQDN in punycode. - - name: edns - type: group - fields: - - name: udp - type: group - fields: - - name: size - type: long - description: Optional. edns_udp_size represents the edns UDP size. - - name: forwarders_only - type: boolean - description: Optional. true to only forward. - - name: forwarders - type: group - fields: - - name: address - type: ip - description: Server IP address. - - name: fqdn - type: keyword - description: Server FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: Server FQDN in punycode. - - name: gss_tsig_enabled - type: boolean - description: gss_tsig_enabled enables/disables GSS-TSIG signed dynamic updates. - - name: id - type: keyword - description: The resource identifier. - - name: inheritance - type: group - fields: - - name: sources - type: group - fields: - - name: add_edns - type: group - fields: - - name: option_in - type: group - fields: - - name: outgoing_query - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: custom_root_ns - type: group - fields: - - name: block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: address - type: ip - description: IPv4 address. - - name: fqdn - type: keyword - description: Optional. Field config for custom_root_ns_enabled field. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: FQDN. - - name: value_enabled - type: boolean - description: FQDN in punycode. - - name: dnssec - type: group - fields: - - name: validation - type: group - fields: - - name: block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: enable - type: boolean - description: Optional. Field config for dnssec_enable_validation field. - - name: enabled - type: boolean - description: Optional. Field config for dnssec_enabled field. - - name: trust_anchors - type: group - fields: - - name: algorithm - type: long - description: Key algorithm. Algorithm values are as per standards. - - name: protocol - type: group - fields: - - name: zone - type: keyword - description: Zone FQDN in punycode. - - name: public_key - type: keyword - description: DNSSEC key data. Non-empty, valid base64 string. - - name: sep - type: boolean - description: Optional. Secure Entry Point flag. - - name: zone - type: keyword - description: Zone FQDN. - - name: validate_expiry - type: boolean - description: Optional. Field config for dnssec_validate_expiry field. - - name: ecs - type: group - fields: - - name: block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: enabled - type: boolean - description: Optional. Field config for ecs_enabled field. - - name: forwarding - type: boolean - description: Optional. Field config for ecs_forwarding field. - - name: prefix_v4 - type: long - description: Optional. Field config for ecs_prefix_v4 field. - - name: prefix_v6 - type: long - description: Optional. Field config for ecs_prefix_v6 field. - - name: zones - type: group - fields: - - name: access - type: keyword - description: Access control for zone. - - name: fqdn - type: keyword - description: Zone FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: Zone FQDN in punycode. - - name: edns - type: group - fields: - - name: udp - type: group - fields: - - name: size - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: forwarders - type: group - fields: - - name: block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value_only - type: boolean - description: Optional. Field config for forwarders_only field. - - name: value - type: group - fields: - - name: address - type: ip - description: Server IP address. - - name: fqdn - type: keyword - description: Server FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: Server FQDN in punycode. - - name: gss_tsig_enabled - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: lame_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: match_recursive_only - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: max_cache_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: max_negative_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: max_udp_size - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: minimal_responses - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: notify - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: query_acl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: acl - type: keyword - description: The resource identifier. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: recursion_acl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: acl - type: keyword - description: The resource identifier. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: recursion_enabled - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: synthesize - type: group - fields: - - name: address_records_from_https - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: name - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: transfer_acl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: acl - type: keyword - description: The resource identifier. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: update_acl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: acl - type: keyword - description: The resource identifier. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: use_forwarders_for_subzones - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: zone_authority - type: group - fields: - - name: default_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: expire - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: mname_block_value - type: keyword - description: Defaults to empty. - - name: mname_block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: isdefault - type: boolean - description: Optional. Use default value for master name server. Defaults to true. - - name: protocol - type: group - fields: - - name: mname - type: keyword - description: Optional. Master name server in punycode. Defaults to empty. - - name: negative_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: protocol_rname - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: keyword - description: The inherited value. - - name: refresh - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: retry - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: rname - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: keyword - description: The inherited value. - - name: ip_spaces - type: keyword - description: The resource identifier. - - name: lame_ttl - type: long - description: Optional. Unused in the current on-prem DNS server implementation. - - name: match_clients_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: match_destinations_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: match_recursive_only - type: boolean - description: Optional. If true only recursive queries from matching clients access the view. - - name: max_cache_ttl - type: long - description: Optional. Seconds to cache positive responses. - - name: max_negative_ttl - type: long - description: Optional. Seconds to cache negative responses. - - name: max_udp_size - type: long - description: Optional. max_udp_size represents maximum UDP payload size. - - name: minimal_responses - type: boolean - description: Optional. When enabled, the DNS server will only add records to the authority and additional data sections when they are required. - - name: name - type: keyword - description: Name of view. - - name: notify - type: boolean - description: notify all external secondary DNS servers. - - name: query_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: recursion_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: recursion_enabled - type: boolean - description: Optional. true to allow recursive DNS queries. - - name: synthesize - type: group - fields: - - name: address_records_from_https - type: boolean - description: synthesize_address_records_from_https enables/disables creation of A/AAAA records from HTTPS RR. - - name: tags - type: flattened - description: Tagging specifics. - - name: transfer_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: update_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: updated_at - type: date - description: The timestamp when the object has been updated. Equals to created_at if not updated after creation. - - name: use_forwarders_for_subzones - type: boolean - description: Optional. Use default forwarders to resolve queries for subzones. - - name: zone_authority - type: group - fields: - - name: default_ttl - type: long - description: Optional. ZoneAuthority default ttl for resource records in zone (value in seconds). - - name: expire - type: long - description: Optional. ZoneAuthority expire time in seconds. Defaults to 2419200. - - name: mname - type: keyword - description: Optional. ZoneAuthority master name server (partially qualified domain name) Defaults to empty. - - name: negative_ttl - type: long - description: Optional. ZoneAuthority negative caching (minimum) ttl in seconds. - - name: protocol - type: group - fields: - - name: mname - type: keyword - description: Optional. ZoneAuthority master name server in punycode. Defaults to empty. - - name: rname - type: keyword - description: Optional. A domain name which specifies the mailbox of the person responsible for this zone. Defaults to empty. - - name: refresh - type: long - description: Optional. ZoneAuthority refresh. Defaults to 10800. - - name: retry - type: long - description: Optional. ZoneAuthority retry. Defaults to 3600. - - name: rname - type: keyword - description: Optional. ZoneAuthority rname. Defaults to empty. - - name: use_default_mname - type: boolean - description: Optional. Use default value for master name server. Defaults to true. diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/manifest.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/manifest.yml deleted file mode 100755 index b83c320597..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/manifest.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Collect DNS Config logs from Infoblox BloxOne DDI -type: logs -streams: - - input: httpjson - title: DNS Config logs - description: Collect DNS Config logs from Infoblox BloxOne DDI. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the DHCP Lease events from Infoblox BloxOne DDI. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Infoblox BloxOne DDI API. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - infoblox_bloxone_ddi_dns_config - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/sample_event.json b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/sample_event.json deleted file mode 100755 index c2849e4b32..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_config/sample_event.json +++ /dev/null @@ -1,670 +0,0 @@ -{ - "@timestamp": "2022-07-15T06:55:25.978Z", - "agent": { - "ephemeral_id": "72747b3e-5f2e-4261-a994-aff0ac9b5be1", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dns_config", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": { - "ttl": 350 - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-15T06:55:25.978Z", - "dataset": "infoblox_bloxone_ddi.dns_config", - "id": "adv12rgfh", - "ingested": "2022-09-22T08:28:25Z", - "kind": "event", - "original": "{\"add_edns_option_in_outgoing_query\":true,\"comment\":\"DNS Config Comment\",\"created_at\":\"2022-07-15T06:55:25.978Z\",\"custom_root_ns\":[{\"address\":\"81.2.69.192\",\"fqdn\":\"custom fqdn\",\"protocol_fqdn\":\"custom protocol fqdn\"}],\"custom_root_ns_enabled\":true,\"disabled\":true,\"dnssec_enable_validation\":true,\"dnssec_enabled\":true,\"dnssec_root_keys\":[{\"algorithm\":30,\"protocol_zone\":\"Dnssec root protocol zone\",\"public_key\":\"Dnssec root Public Key\",\"sep\":true,\"zone\":\"Dnssec root Zone\"}],\"dnssec_trust_anchors\":[{\"algorithm\":10,\"protocol_zone\":\"Dnssec trust protocol zone\",\"public_key\":\"Dnssec trust Public Key\",\"sep\":true,\"zone\":\"Dnssec trust zone\"}],\"dnssec_validate_expiry\":true,\"ecs_enabled\":true,\"ecs_forwarding\":true,\"ecs_prefix_v4\":22,\"ecs_prefix_v6\":33,\"ecs_zones\":[{\"access\":\"ecs zones access\",\"fqdn\":\"ecs zones fqdn\",\"protocol_fqdn\":\"ecs zones protocol fqdn\"}],\"edns_udp_size\":568,\"forwarders\":[{\"address\":\"81.2.69.192\",\"fqdn\":\"forwarders fqdn\",\"protocol_fqdn\":\"forwarders protocol fqdn\"}],\"forwarders_only\":true,\"gss_tsig_enabled\":true,\"id\":\"adv12rgfh\",\"inheritance_sources\":{\"add_edns_option_in_outgoing_query\":{\"action\":\"inherit\",\"display_name\":\"displaynameadd_edns_option_in_outgoing_query\",\"source\":\"sourceadd_edns_option_in_outgoing_query\",\"value\":true},\"custom_root_ns_block\":{\"action\":\"override\",\"display_name\":\"displaynamecustom_root_ns_block\",\"source\":\"sourcecustom_root_ns_block\",\"value\":{\"custom_root_ns\":[{\"address\":\"67.43.156.0\",\"fqdn\":\"fqdn_custom_root_ns\",\"protocol_fqdn\":\"protocolfqdn_custom_root_ns\"}],\"custom_root_ns_enabled\":true}},\"dnssec_validation_block\":{\"action\":\"inherit\",\"display_name\":\"displaynamednssec_validation_block\",\"source\":\"sourcednssec_validation_block\",\"value\":{\"dnssec_enable_validation\":true,\"dnssec_enabled\":true,\"dnssec_trust_anchors\":[{\"algorithm\":8,\"protocol_zone\":\"protocolzonednssec_trust_anchors\",\"public_key\":\"publickeydnssec_trust_anchors\",\"sep\":false,\"zone\":\"is3zone\"}],\"dnssec_validate_expiry\":true}},\"ecs_block\":{\"action\":\"inherit\",\"display_name\":\"displaynameecs_block\",\"source\":\"sourceecs_block\",\"value\":{\"ecs_enabled\":false,\"ecs_forwarding\":true,\"ecs_prefix_v4\":4,\"ecs_prefix_v6\":10,\"ecs_zones\":[{\"access\":\"inherit\",\"fqdn\":\"fqdnecs_block\",\"protocol_fqdn\":\"protocol_fqdnecs_block\"}]}},\"ecs_zones\":{\"action\":\"override\",\"display_name\":\"displaynameecs_zones\",\"source\":\"sourceecs_zones\",\"value\":{\"ecs_enabled\":false,\"ecs_forwarding\":true,\"ecs_prefix_v4\":4,\"ecs_prefix_v6\":12,\"ecs_zones\":[{\"access\":\"access_ecs_zones\",\"fqdn\":\"fqdn_ecs_zones\",\"protocol_fqdn\":\"protocolfqdn_ecs_zones\"}]}},\"edns_udp_size\":{\"action\":\"inherit\",\"display_name\":\"displaynameedns_udp_size\",\"source\":\"sourceedns_udp_size\",\"value\":55},\"forwarders_block\":{\"action\":\"inherit\",\"display_name\":\"displaynameforwarders_block\",\"source\":\"sourceforwarders_block\",\"value\":{\"forwarders\":[{\"address\":\"89.160.20.128\",\"fqdn\":\"forwarders_fqdn\",\"protocol_fqdn\":\"forwarders_protocolfqdn\"}],\"forwarders_only\":true}},\"gss_tsig_enabled\":{\"action\":\"inherit\",\"display_name\":\"displaynamegss_tsig_enabled\",\"source\":\"sourcegss_tsig_enabled\",\"value\":true},\"lame_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamelame_ttl\",\"source\":\"sourcelame_ttl\",\"value\":45},\"match_recursive_only\":{\"action\":\"inherit\",\"display_name\":\"displaynamematch_recursive_only\",\"source\":\"sourcematch_recursive_only\",\"value\":false},\"max_cache_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_cache_ttl\",\"source\":\"sourcemax_cache_ttl\",\"value\":13},\"max_negative_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_negative_ttl\",\"source\":\"sourcemax_negative_ttl\",\"value\":12},\"max_udp_size\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_udp_size\",\"source\":\"sourcemax_udp_size\",\"value\":11},\"minimal_responses\":{\"action\":\"inherit\",\"display_name\":\"displaynameminimal_responses\",\"source\":\"sourceminimal_responses\",\"value\":true},\"notify\":{\"action\":\"inherit\",\"display_name\":\"displayname_notify\",\"source\":\"source_notify\",\"value\":true},\"query_acl\":{\"action\":\"override\",\"display_name\":\"displaynamequery_acl\",\"source\":\"sourcequery_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"aclvalue_query_acl\",\"address\":\"89.160.20.128\",\"element\":\"elementvaluequery_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha256\",\"comment\":\"commentquery_acl\",\"key\":\"keyquery_acl\",\"name\":\"namequery_acl\",\"protocol_name\":\"protocolname_query_acl\",\"secret\":\"secretquery_acl\"}}]},\"recursion_acl\":{\"action\":\"override\",\"display_name\":\"displaynamerecursion_acl\",\"source\":\"sourcerecursion_acl\",\"value\":[{\"access\":\"deny\",\"acl\":\"aclrecursion_acl\",\"address\":\"89.160.20.128\",\"element\":\"elementrecursion_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentrecursion_acl\",\"key\":\"keyrecursion_acl\",\"name\":\"namerecursion_acl\",\"protocol_name\":\"protocolnamerecursion_acl\",\"secret\":\"secretrecursion_acl\"}}]},\"recursion_enabled\":{\"action\":\"inherit\",\"display_name\":\"displaynamerecursion_enabled\",\"source\":\"sourcerecursion_enabled\",\"value\":true},\"synthesize_address_records_from_https\":{\"action\":\"inherit\",\"display_name\":\"displaynamesynthesize_address_records_from_https\",\"source\":\"sourcesynthesize_address_records_from_https\",\"value\":true},\"transfer_acl\":{\"action\":\"inherit\",\"display_name\":\"displaynametransfer_acl\",\"source\":\"sourcetransfer_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"acltransfer_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementtransfer_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commenttransfer_acl\",\"key\":\"keytransfer_acl\",\"name\":\"nametransfer_acl\",\"protocol_name\":\"protocolnametransfer_acl\",\"secret\":\"secrettransfer_acl\"}}]},\"update_acl\":{\"action\":\"override\",\"display_name\":\"displaynameupdate_acl\",\"source\":\"sourceupdate_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"aclupdate_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementupdate_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentupdate_acl\",\"key\":\"keyupdate_acl\",\"name\":\"nameupdate_acl\",\"protocol_name\":\"protocolnameupdate_acl\",\"secret\":\"secretupdate_acl\"}}]},\"use_forwarders_for_subzones\":{\"action\":\"override\",\"display_name\":\"displaynameuse_forwarders_for_subzones\",\"source\":\"sourceuse_forwarders_for_subzones\",\"value\":false},\"zone_authority\":{\"default_ttl\":{\"action\":\"override\",\"display_name\":\"displaynamezone_authority\",\"source\":\"sourcezone_authority\",\"value\":50},\"expire\":{\"action\":\"inherit\",\"display_name\":\"displaynameexpire\",\"source\":\"sourceexpire\",\"value\":70},\"mname_block\":{\"action\":\"inherit\",\"display_name\":\"displaynamemname_block\",\"source\":\"sourcemname_block\",\"value\":{\"mname\":\"mnamevaluemname_block\",\"protocol_mname\":\"protocolmnamemname_block\",\"use_default_mname\":true}},\"negative_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamenegative_ttl\",\"source\":\"sourcenegative_ttl\",\"value\":90},\"protocol_rname\":{\"action\":\"inherit\",\"display_name\":\"displaynameprotocol_rname\",\"source\":\"sourceprotocol_rname\",\"value\":\"valueprotocol_rname\"},\"refresh\":{\"action\":\"inherit\",\"display_name\":\"displayname_refresh\",\"source\":\"source_refresh\",\"value\":40},\"retry\":{\"action\":\"inherit\",\"display_name\":\"displayname_retry\",\"source\":\"source_retry\",\"value\":570},\"rname\":{\"action\":\"inherit\",\"display_name\":\"displayname_rname\",\"source\":\"source_rname\",\"value\":\"value_rname\"}}},\"ip_spaces\":[\"testipspaces\"],\"lame_ttl\":350,\"match_clients_acl\":[{\"access\":\"deny\",\"acl\":\"aclmatch_clients_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementmatch_clients_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha512\",\"comment\":\"commentmatch_clients_acl\",\"key\":\"keymatch_clients_acl\",\"name\":\"namematch_clients_acl\",\"protocol_name\":\"protocolnamematch_clients_acl\",\"secret\":\"secretmatch_clients_acl\"}}],\"match_destinations_acl\":[{\"access\":\"allow\",\"acl\":\"aclmatch_destinations_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementmatch_destinations_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentmatch_destinations_acl\",\"key\":\"keymatch_destinations_acl\",\"name\":\"namematch_destinations_acl\",\"protocol_name\":\"protocolnamematch_destinations_acl\",\"secret\":\"secretmatch_destinations_acl\"}}],\"match_recursive_only\":true,\"max_cache_ttl\":90,\"max_negative_ttl\":500,\"max_udp_size\":890,\"minimal_responses\":true,\"name\":\"string\",\"notify\":true,\"query_acl\":[{\"access\":\"accessquery_acl\",\"acl\":\"aclquery_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementquery_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commentquery_acl\",\"key\":\"keyquery_acl\",\"name\":\"namequery_acl\",\"protocol_name\":\"protocolnamequery_acl\",\"secret\":\"secretquery_acl\"}}],\"recursion_acl\":[{\"access\":\"allow\",\"acl\":\"aclrecursion_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementrecursion_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha1\",\"comment\":\"commentrecursion_acl\",\"key\":\"keyrecursion_acl\",\"name\":\"namerecursion_acl\",\"protocol_name\":\"protocolnamerecursion_acl\",\"secret\":\"secretrecursion_acl\"}}],\"recursion_enabled\":true,\"synthesize_address_records_from_https\":false,\"tags\":{\"message\":\"Hello\"},\"transfer_acl\":[{\"access\":\"allow\",\"acl\":\"acltransfer_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementtransfer_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commenttransfer_acl\",\"key\":\"keytransfer_acl\",\"name\":\"nametransfer_acl\",\"protocol_name\":\"protocolnametransfer_acl\",\"secret\":\"secrettransfer_acl\"}}],\"update_acl\":[{\"access\":\"allow\",\"acl\":\"aclupdate_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementupdate_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha1\",\"comment\":\"commentupdate_acl\",\"key\":\"keyupdate_acl\",\"name\":\"nameupdate_acl\",\"protocol_name\":\"protocolnameupdate_acl\",\"secret\":\"secretupdate_acl\"}}],\"updated_at\":\"2022-07-15T06:55:25.978Z\",\"use_forwarders_for_subzones\":true,\"zone_authority\":{\"default_ttl\":20,\"expire\":10,\"mname\":\"mnamezone_authority\",\"negative_ttl\":30,\"protocol_mname\":\"protocolmnamezone_authority\",\"protocol_rname\":\"protocolrnamezone_authority\",\"refresh\":50,\"retry\":100,\"rname\":\"string\",\"use_default_mname\":true}}", - "type": [ - "protocol" - ] - }, - "infoblox_bloxone_ddi": { - "dns_config": { - "add_edns": { - "option_in": { - "outgoing_query": true - } - }, - "comment": "DNS Config Comment", - "created_at": "2022-07-15T06:55:25.978Z", - "custom_root_ns": [ - { - "address": "81.2.69.192", - "fqdn": "custom fqdn", - "protocol": { - "fqdn": "custom protocol fqdn" - } - } - ], - "custom_root_ns_enabled": true, - "disabled": true, - "dnssec": { - "enable_validation": true, - "enabled": true, - "root_keys": [ - { - "algorithm": 30, - "protocol": { - "zone": "Dnssec root protocol zone" - }, - "public": "Dnssec root Public Key", - "sep": true, - "zone": "Dnssec root Zone" - } - ], - "trust_anchors": [ - { - "algorithm": 10, - "protocol": { - "zone": "Dnssec trust protocol zone" - }, - "public_key": "Dnssec trust Public Key", - "sep": true, - "zone": "Dnssec trust zone" - } - ], - "validate_expiry": true - }, - "ecs": { - "enabled": true, - "forwarding": true, - "prefix_v4": 22, - "prefix_v6": 33, - "zones": [ - { - "access": "ecs zones access", - "fqdn": "ecs zones fqdn", - "protocol": { - "fqdn": "ecs zones protocol fqdn" - } - } - ] - }, - "edns": { - "udp": { - "size": 568 - } - }, - "forwarders": [ - { - "address": "81.2.69.192", - "fqdn": "forwarders fqdn", - "protocol": { - "fqdn": "forwarders protocol fqdn" - } - } - ], - "forwarders_only": true, - "gss_tsig_enabled": true, - "id": "adv12rgfh", - "inheritance": { - "sources": { - "add_edns": { - "option_in": { - "outgoing_query": { - "action": "inherit", - "display": { - "name": "displaynameadd_edns_option_in_outgoing_query" - }, - "source": "sourceadd_edns_option_in_outgoing_query", - "value": true - } - } - }, - "custom_root_ns": { - "block": { - "action": "override", - "display": { - "name": "displaynamecustom_root_ns_block" - }, - "source": "sourcecustom_root_ns_block", - "value": [ - { - "address": "67.43.156.0", - "fqdn": "fqdn_custom_root_ns", - "protocol": { - "fqdn": "protocolfqdn_custom_root_ns" - } - } - ], - "value_enabled": true - } - }, - "dnssec": { - "validation": { - "block": { - "action": "inherit", - "display": { - "name": "displaynamednssec_validation_block" - }, - "source": "sourcednssec_validation_block", - "value": { - "enable": true, - "enabled": true, - "trust_anchors": [ - { - "algorithm": 8, - "protocol": { - "zone": "protocolzonednssec_trust_anchors" - }, - "public_key": "publickeydnssec_trust_anchors", - "sep": false, - "zone": "is3zone" - } - ], - "validate_expiry": true - } - } - } - }, - "ecs": { - "block": { - "action": "inherit", - "display": { - "name": "displaynameecs_block" - }, - "source": "sourceecs_block", - "value": { - "enabled": false, - "forwarding": true, - "prefix_v4": 4, - "prefix_v6": 10, - "zones": [ - { - "access": "inherit", - "fqdn": "fqdnecs_block", - "protocol": { - "fqdn": "protocol_fqdnecs_block" - } - } - ] - } - } - }, - "edns": { - "udp": { - "size": { - "action": "inherit", - "display": { - "name": "displaynameedns_udp_size" - }, - "source": "sourceedns_udp_size", - "value": 55 - } - } - }, - "forwarders": { - "block": { - "action": "inherit", - "display": { - "name": "displaynameforwarders_block" - }, - "source": "sourceforwarders_block", - "value": [ - { - "address": "89.160.20.128", - "fqdn": "forwarders_fqdn", - "protocol": { - "fqdn": "forwarders_protocolfqdn" - } - } - ], - "value_only": true - } - }, - "gss_tsig_enabled": { - "action": "inherit", - "display": { - "name": "displaynamegss_tsig_enabled" - }, - "source": "sourcegss_tsig_enabled", - "value": true - }, - "lame_ttl": { - "action": "inherit", - "display": { - "name": "displaynamelame_ttl" - }, - "source": "sourcelame_ttl", - "value": 45 - }, - "match_recursive_only": { - "action": "inherit", - "display": { - "name": "displaynamematch_recursive_only" - }, - "source": "sourcematch_recursive_only", - "value": false - }, - "max_cache_ttl": { - "action": "inherit", - "display": { - "name": "displaynamemax_cache_ttl" - }, - "source": "sourcemax_cache_ttl", - "value": 13 - }, - "max_negative_ttl": { - "action": "inherit", - "display": { - "name": "displaynamemax_negative_ttl" - }, - "source": "sourcemax_negative_ttl", - "value": 12 - }, - "max_udp_size": { - "action": "inherit", - "display": { - "name": "displaynamemax_udp_size" - }, - "source": "sourcemax_udp_size", - "value": 11 - }, - "minimal_responses": { - "action": "inherit", - "display": { - "name": "displaynameminimal_responses" - }, - "source": "sourceminimal_responses", - "value": true - }, - "notify": { - "action": "inherit", - "display": { - "name": "displayname_notify" - }, - "source": "source_notify", - "value": true - }, - "query_acl": { - "action": "override", - "display": { - "name": "displaynamequery_acl" - }, - "source": "sourcequery_acl", - "value": [ - { - "access": "allow", - "acl": "aclvalue_query_acl", - "address": "89.160.20.128", - "element": "elementvaluequery_acl", - "tsig_key": { - "algorithm": "hmac_sha256", - "comment": "commentquery_acl", - "key": "keyquery_acl", - "name": "namequery_acl", - "protocol": { - "name": "protocolname_query_acl" - }, - "secret": "secretquery_acl" - } - } - ] - }, - "recursion_acl": { - "action": "override", - "display": { - "name": "displaynamerecursion_acl" - }, - "source": "sourcerecursion_acl", - "value": [ - { - "access": "deny", - "acl": "aclrecursion_acl", - "address": "89.160.20.128", - "element": "elementrecursion_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentrecursion_acl", - "key": "keyrecursion_acl", - "name": "namerecursion_acl", - "protocol": { - "name": "protocolnamerecursion_acl" - }, - "secret": "secretrecursion_acl" - } - } - ] - }, - "recursion_enabled": { - "action": "inherit", - "display": { - "name": "displaynamerecursion_enabled" - }, - "source": "sourcerecursion_enabled", - "value": true - }, - "synthesize": { - "address_records_from_https": { - "action": "inherit", - "display": { - "name": "displaynamesynthesize_address_records_from_https" - }, - "name": "sourcesynthesize_address_records_from_https", - "value": true - } - }, - "transfer_acl": { - "action": "inherit", - "display": { - "name": "displaynametransfer_acl" - }, - "source": "sourcetransfer_acl", - "value": [ - { - "access": "allow", - "acl": "acltransfer_acl", - "address": "216.160.83.56", - "element": "elementtransfer_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commenttransfer_acl", - "key": "keytransfer_acl", - "name": "nametransfer_acl", - "protocol": { - "name": "protocolnametransfer_acl" - }, - "secret": "secrettransfer_acl" - } - } - ] - }, - "update_acl": { - "action": "override", - "display": { - "name": "displaynameupdate_acl" - }, - "source": "sourceupdate_acl", - "value": [ - { - "access": "allow", - "acl": "aclupdate_acl", - "address": "216.160.83.56", - "element": "elementupdate_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentupdate_acl", - "key": "keyupdate_acl", - "name": "nameupdate_acl", - "protocol": { - "name": "protocolnameupdate_acl" - }, - "secret": "secretupdate_acl" - } - } - ] - }, - "use_forwarders_for_subzones": { - "action": "override", - "display": { - "name": "displaynameuse_forwarders_for_subzones" - }, - "source": "sourceuse_forwarders_for_subzones", - "value": false - }, - "zone_authority": { - "default_ttl": { - "action": "override", - "display": { - "name": "displaynamezone_authority" - }, - "source": "sourcezone_authority", - "value": 50 - }, - "expire": { - "action": "inherit", - "display": { - "name": "displaynameexpire" - }, - "source": "sourceexpire", - "value": 70 - }, - "mname_block": { - "action": "inherit", - "display": { - "name": "displaynamemname_block" - }, - "source": "sourcemname_block", - "value": { - "isdefault": true, - "protocol": { - "mname": "protocolmnamemname_block" - } - } - }, - "mname_block_value": "mnamevaluemname_block", - "negative_ttl": { - "action": "inherit", - "display": { - "name": "displaynamenegative_ttl" - }, - "source": "sourcenegative_ttl", - "value": 90 - }, - "protocol_rname": { - "action": "inherit", - "display": { - "name": "displaynameprotocol_rname" - }, - "source": "sourceprotocol_rname", - "value": "valueprotocol_rname" - }, - "refresh": { - "action": "inherit", - "display": { - "name": "displayname_refresh" - }, - "source": "source_refresh", - "value": 40 - }, - "retry": { - "action": "inherit", - "display": { - "name": "displayname_retry" - }, - "source": "source_retry", - "value": 570 - }, - "rname": { - "action": "inherit", - "display": { - "name": "displayname_rname" - }, - "source": "source_rname", - "value": "value_rname" - } - } - } - }, - "ip_spaces": [ - "testipspaces" - ], - "lame_ttl": 350, - "match_clients_acl": [ - { - "access": "deny", - "address": "81.2.69.192", - "element": "elementmatch_clients_acl", - "tsig_key": { - "algorithm": "hmac_sha512", - "comment": "commentmatch_clients_acl", - "key": "keymatch_clients_acl", - "name": "namematch_clients_acl", - "protocol": { - "name": "protocolnamematch_clients_acl" - }, - "secret": "secretmatch_clients_acl" - }, - "value": "aclmatch_clients_acl" - } - ], - "match_destinations_acl": [ - { - "access": "allow", - "address": "81.2.69.192", - "element": "elementmatch_destinations_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentmatch_destinations_acl", - "key": "keymatch_destinations_acl", - "name": "namematch_destinations_acl", - "protocol": { - "name": "protocolnamematch_destinations_acl" - }, - "secret": "secretmatch_destinations_acl" - }, - "value": "aclmatch_destinations_acl" - } - ], - "match_recursive_only": true, - "max_cache_ttl": 90, - "max_negative_ttl": 500, - "max_udp_size": 890, - "minimal_responses": true, - "name": "string", - "notify": true, - "query_acl": [ - { - "access": "accessquery_acl", - "address": "81.2.69.192", - "element": "elementquery_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commentquery_acl", - "key": "keyquery_acl", - "name": "namequery_acl", - "protocol": { - "name": "protocolnamequery_acl" - }, - "secret": "secretquery_acl" - }, - "value": "aclquery_acl" - } - ], - "recursion_acl": [ - { - "access": "allow", - "address": "81.2.69.192", - "element": "elementrecursion_acl", - "tsig_key": { - "algorithm": "hmac_sha1", - "comment": "commentrecursion_acl", - "key": "keyrecursion_acl", - "name": "namerecursion_acl", - "protocol": { - "name": "protocolnamerecursion_acl" - }, - "secret": "secretrecursion_acl" - }, - "value": "aclrecursion_acl" - } - ], - "recursion_enabled": true, - "synthesize": { - "address_records_from_https": false - }, - "tags": { - "message": "Hello" - }, - "transfer_acl": [ - { - "access": "allow", - "address": "216.160.83.56", - "element": "elementtransfer_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commenttransfer_acl", - "key": "keytransfer_acl", - "name": "nametransfer_acl", - "protocol": { - "name": "protocolnametransfer_acl" - }, - "secret": "secrettransfer_acl" - }, - "value": "acltransfer_acl" - } - ], - "update_acl": [ - { - "access": "allow", - "address": "216.160.83.56", - "element": "elementupdate_acl", - "tsig_key": { - "algorithm": "hmac_sha1", - "comment": "commentupdate_acl", - "key": "keyupdate_acl", - "name": "nameupdate_acl", - "protocol": { - "name": "protocolnameupdate_acl" - }, - "secret": "secretupdate_acl" - }, - "value": "aclupdate_acl" - } - ], - "updated_at": "2022-07-15T06:55:25.978Z", - "use_forwarders_for_subzones": true, - "zone_authority": { - "default_ttl": 20, - "expire": 10, - "mname": "mnamezone_authority", - "negative_ttl": 30, - "protocol": { - "mname": "protocolmnamezone_authority", - "rname": "protocolrnamezone_authority" - }, - "refresh": 50, - "retry": 100, - "rname": "string", - "use_default_mname": true - } - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hash": [ - "hmac_sha256", - "hmac_sha384", - "hmac_sha224", - "hmac_sha512", - "hmac_sha1" - ], - "ip": [ - "81.2.69.192", - "67.43.156.0", - "89.160.20.128", - "216.160.83.56" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "infoblox_bloxone_ddi_dns_config" - ] -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/agent/stream/httpjson.yml.hbs b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 1e7a1351da..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,54 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/api/ddi/v1/dns/record -request.transforms: - - set: - target: header.Authorization - value: 'Token {{api_key}}' - - set: - target: url.params._offset - value: 0 - - set: - target: url.params._limit - value: 100 - - set: - target: url.params._order_by - value: 'updated_at asc' - - set: - target: url.params._filter - value: 'updated_at>="[[(formatDate (parseDate .cursor.last_updated_at) "2006-01-02T15:04:05.999Z")]]"' - default: 'updated_at>="[[(formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.999Z")]]"' -response.pagination: - - set: - target: url.params._offset - value: '[[if (eq (len .last_response.body.results) 100)]][[add (toInt (.last_response.url.params.Get "_offset")) 100]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_updated_at: - value: '[[.last_event.updated_at]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 63d1e8b369..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,433 +0,0 @@ ---- -description: Pipeline for parsing DNS data logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [network] - - set: - field: event.type - value: [protocol] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.created_at - - json.updated_at - - json.id - target_field: _id - ignore_missing: true - - rename: - field: json.absolute_name_spec - target_field: infoblox_bloxone_ddi.dns_data.absolute_name.spec - ignore_missing: true - - rename: - field: json.absolute_zone_name - target_field: infoblox_bloxone_ddi.dns_data.absolute_zone.name - ignore_missing: true - - rename: - field: json.comment - target_field: infoblox_bloxone_ddi.dns_data.comment - ignore_missing: true - - date: - field: json.created_at - target_field: infoblox_bloxone_ddi.dns_data.created_at - if: ctx.json?.created_at != null && ctx.json.created_at != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.created - copy_from: infoblox_bloxone_ddi.dns_data.created_at - ignore_failure: true - - rename: - field: json.delegation - target_field: infoblox_bloxone_ddi.dns_data.delegation - ignore_missing: true - - convert: - field: json.disabled - target_field: infoblox_bloxone_ddi.dns_data.disabled - if: ctx.json?.disabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.dns_absolute_name_spec - target_field: infoblox_bloxone_ddi.dns_data.absolute.name.spec - ignore_missing: true - - rename: - field: json.dns_absolute_zone_name - target_field: infoblox_bloxone_ddi.dns_data.absolute.zone.name - ignore_missing: true - - rename: - field: json.dns_name_in_zone - target_field: infoblox_bloxone_ddi.dns_data.name_in.zone - ignore_missing: true - - rename: - field: json.dns_rdata - target_field: infoblox_bloxone_ddi.dns_data.rdata_value - ignore_missing: true - - rename: - field: json.id - target_field: infoblox_bloxone_ddi.dns_data.id - ignore_missing: true - - set: - field: event.id - copy_from: infoblox_bloxone_ddi.dns_data.id - ignore_failure: true - - rename: - field: json.inheritance_sources.ttl.action - target_field: infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.ttl.display_name - target_field: infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.ttl.source - target_field: infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.ttl.value - target_field: infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.value - if: ctx.json?.inheritance_sources?.ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.name_in_zone - target_field: infoblox_bloxone_ddi.dns_data.name_in_zone - ignore_missing: true - - convert: - field: json.options.create_ptr - target_field: infoblox_bloxone_ddi.dns_data.options.create_ptr - if: ctx.json?.options?.create_ptr != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.options.check_rmz - target_field: infoblox_bloxone_ddi.dns_data.options.check_rmz - if: ctx.json?.options?.check_rmz != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.options.address - target_field: infoblox_bloxone_ddi.dns_data.options.address - if: ctx.json?.options?.address != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.ip - value: '{{{infoblox_bloxone_ddi.dns_data.options.address}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.provider_metadata - target_field: infoblox_bloxone_ddi.dns_data.provider_metadata - ignore_missing: true - - convert: - field: json.rdata.address - target_field: infoblox_bloxone_ddi.dns_data.rdata.address - if: ctx.json?.rdata?.address != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.ip - value: '{{{infoblox_bloxone_ddi.dns_data.rdata.address}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.rdata.flags - target_field: infoblox_bloxone_ddi.dns_data.rdata.flags - ignore_missing: true - - rename: - field: json.rdata.tag - target_field: infoblox_bloxone_ddi.dns_data.rdata.tag - ignore_missing: true - - rename: - field: json.rdata.value - target_field: infoblox_bloxone_ddi.dns_data.rdata.value - ignore_missing: true - - rename: - field: json.rdata.cname - target_field: infoblox_bloxone_ddi.dns_data.rdata.cname - ignore_missing: true - - rename: - field: json.rdata.target - target_field: infoblox_bloxone_ddi.dns_data.rdata.target - ignore_missing: true - - rename: - field: json.rdata.dhcid - target_field: infoblox_bloxone_ddi.dns_data.rdata.dhcid - ignore_missing: true - - rename: - field: json.rdata.exchange - target_field: infoblox_bloxone_ddi.dns_data.rdata.exchange - ignore_missing: true - - convert: - field: json.rdata.preference - target_field: infoblox_bloxone_ddi.dns_data.rdata.preference - if: ctx.json?.rdata?.preference != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.order - target_field: infoblox_bloxone_ddi.dns_data.rdata.order - if: ctx.json?.rdata?.order != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.rdata.regexp - target_field: infoblox_bloxone_ddi.dns_data.rdata.regexp - ignore_missing: true - - rename: - field: json.rdata.replacement - target_field: infoblox_bloxone_ddi.dns_data.rdata.replacement - ignore_missing: true - - rename: - field: json.rdata.services - target_field: infoblox_bloxone_ddi.dns_data.rdata.services - ignore_missing: true - - rename: - field: json.rdata.dname - target_field: infoblox_bloxone_ddi.dns_data.rdata.dname - ignore_missing: true - - convert: - field: json.rdata.expire - target_field: infoblox_bloxone_ddi.dns_data.rdata.expire - if: ctx.json?.rdata?.expire != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.rdata.mname - target_field: infoblox_bloxone_ddi.dns_data.rdata.mname - ignore_missing: true - - convert: - field: json.rdata.negative_ttl - target_field: infoblox_bloxone_ddi.dns_data.rdata.negative_ttl - if: ctx.json?.rdata?.negative_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.refresh - target_field: infoblox_bloxone_ddi.dns_data.rdata.refresh - if: ctx.json?.rdata?.refresh != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.retry - target_field: infoblox_bloxone_ddi.dns_data.rdata.retry - if: ctx.json?.rdata?.retry != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.rdata.rname - target_field: infoblox_bloxone_ddi.dns_data.rdata.rname - ignore_missing: true - - convert: - field: json.rdata.serial - target_field: infoblox_bloxone_ddi.dns_data.rdata.serial - if: ctx.json?.rdata?.serial != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.port - target_field: infoblox_bloxone_ddi.dns_data.rdata.port - if: ctx.json?.rdata?.port != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.priority - target_field: infoblox_bloxone_ddi.dns_data.rdata.priority - if: ctx.json?.rdata?.priority != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.weight - target_field: infoblox_bloxone_ddi.dns_data.rdata.weight - if: ctx.json?.rdata?.weight != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.rdata.text - target_field: infoblox_bloxone_ddi.dns_data.rdata.text - ignore_missing: true - - rename: - field: json.rdata.type - target_field: infoblox_bloxone_ddi.dns_data.rdata.type - ignore_missing: true - - convert: - field: json.rdata.length_kind - target_field: infoblox_bloxone_ddi.dns_data.rdata.length_kind - if: ctx.json?.rdata?.length_kind != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.tags - target_field: infoblox_bloxone_ddi.dns_data.tags - ignore_missing: true - - rename: - field: json.source - target_field: infoblox_bloxone_ddi.dns_data.source - ignore_missing: true - - convert: - field: json.ttl - target_field: infoblox_bloxone_ddi.dns_data.ttl - if: ctx.json?.ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: dns.answers.ttl - copy_from: infoblox_bloxone_ddi.dns_data.ttl - ignore_failure: true - - rename: - field: json.type - target_field: infoblox_bloxone_ddi.dns_data.type - ignore_missing: true - - date: - field: json.updated_at - target_field: infoblox_bloxone_ddi.dns_data.updated_at - if: ctx.json?.updated_at != null && ctx.json.updated_at != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: infoblox_bloxone_ddi.dns_data.updated_at - ignore_failure: true - - rename: - field: json.view - target_field: infoblox_bloxone_ddi.dns_data.view - ignore_missing: true - - rename: - field: json.view_name - target_field: infoblox_bloxone_ddi.dns_data.view_name - ignore_missing: true - - rename: - field: json.zone - target_field: infoblox_bloxone_ddi.dns_data.zone - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - infoblox_bloxone_ddi.dns_data.updated_at - - infoblox_bloxone_ddi.dns_data.lame_ttl - - infoblox_bloxone_ddi.dns_data.created_at - - infoblox_bloxone_ddi.dns_data.id - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/agent.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/base-fields.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/base-fields.yml deleted file mode 100755 index e0810a683a..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: infoblox_bloxone_ddi -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: infoblox_bloxone_ddi.dns_data diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/ecs.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/ecs.yml deleted file mode 100755 index 0198616504..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/ecs.yml +++ /dev/null @@ -1,62 +0,0 @@ -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/fields.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/fields.yml deleted file mode 100755 index 357c431732..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/fields/fields.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: infoblox_bloxone_ddi.dns_data - type: group - fields: - - name: absolute_name - type: group - fields: - - name: spec - type: keyword - description: Synthetic field, used to determine zone and/or name_in_zone field for records. - - name: absolute_zone - type: group - fields: - - name: name - type: keyword - description: The absolute domain name of the zone where this record belongs. - - name: absolute - type: group - fields: - - name: name - type: group - fields: - - name: spec - type: keyword - description: The DNS protocol textual representation of absolute_name_spec. - - name: zone - type: group - fields: - - name: name - type: keyword - description: The DNS protocol textual representation of the absolute domain name of the zone where this record belongs. - - name: comment - type: keyword - description: The description for the DNS resource record. May contain 0 to 1024 characters. Can include UTF-8. - - name: created_at - type: date - description: The timestamp when the object has been created. - - name: delegation - type: keyword - description: The resource identifier. - - name: disabled - type: boolean - description: Indicates if the DNS resource record is disabled. A disabled object is effectively non-existent when generating configuration. - - name: id - type: keyword - description: The resource identifier. - - name: inheritance - type: group - fields: - - name: sources - type: group - fields: - - name: ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: name_in_zone - type: keyword - description: The relative owner name to the zone origin. Must be specified for creating the DNS resource record and is read only for other operations. - - name: name_in - type: group - fields: - - name: zone - type: keyword - description: The DNS protocol textual representation of the relative owner name for the DNS zone. - - name: options - type: group - fields: - - name: address - type: ip - description: For GET operation it contains the IPv4 or IPv6 address represented by the PTR record and for POST and PATCH operations it can be used to create/update a PTR record based on the IP address it represents. In this case, in addition to the address in the options field, need to specify the view field. - - name: check_rmz - type: boolean - description: A boolean flag which can be set to true for POST operation to check the existence of reverse zone for creating the corresponding PTR record. Only applicable if the create_ptr option is set to true. - - name: create_ptr - type: boolean - description: A boolean flag which can be set to true for POST operation to automatically create the corresponding PTR record. - - name: provider_metadata - type: flattened - description: external DNS provider metadata. - - name: rdata_value - type: keyword - description: The DNS protocol textual representation of the DNS resource record data. - - name: rdata - type: group - fields: - - name: address - type: ip - description: The IPv4/IPv6 address of the host. - - name: cname - type: keyword - description: A domain name which specifies the canonical or primary name for the owner. The owner name is an alias. Can be empty. - - name: dhcid - type: keyword - description: The Base64 encoded string which contains DHCP client information. - - name: dname - type: keyword - description: A domain-name which specifies a host which should be authoritative for the specified class and domain. Can be absolute or relative domain name and include UTF-8. - - name: exchange - type: keyword - description: A domain name which specifies a host willing to act as a mail exchange for the owner name. - - name: expire - type: long - description: The time interval in seconds after which zone data will expire and secondary server stops answering requests for the zone. - - name: flags - type: keyword - description: An unsigned 8-bit integer which specifies the CAA record flags. RFC 6844 defines one (highest) bit in flag octet, remaining bits are deferred for future use. This bit is referenced as Critical. When the bit is set (flag value == 128), issuers must not issue certificates in case CAA records contain unknown property tags. - - name: length_kind - type: long - description: A string indicating the size in bits of a sub-subfield that is prepended to the value and encodes the length of the value. - - name: mname - type: keyword - description: The domain name for the master server for the zone. Can be absolute or relative domain name. - - name: negative_ttl - type: long - description: The time interval in seconds for which name servers can cache negative responses for zone. - - name: order - type: long - description: A 16-bit unsigned integer specifying the order in which the NAPTR records must be processed. Low numbers are processed before high numbers, and once a NAPTR is found whose rule “matches” the target, the client must not consider any NAPTRs with a higher value for order (except as noted below for the “flags” field. The range of the value is 0 to 65535. - - name: port - type: long - description: An unsigned 16-bit integer which specifies the port on this target host of this service. The range of the value is 0 to 65535. This is often as specified in Assigned Numbers but need not be. - - name: preference - type: long - description: An unsigned 16-bit integer which specifies the preference given to this RR among others at the same owner. Lower values are preferred. The range of the value is 0 to 65535. - - name: priority - type: long - description: An unsigned 16-bit integer which specifies the priority of this target host. The range of the value is 0 to 65535. A client must attempt to contact the target host with the lowest-numbered priority it can reach. Target hosts with the same priority should be tried in an order defined by the weight field. - - name: refresh - type: long - description: The time interval in seconds that specifies how often secondary servers need to send a message to the primary server for a zone to check that their data is current, and retrieve fresh data if it is not. - - name: regexp - type: keyword - description: A string containing a substitution expression that is applied to the original string held by the client in order to construct the next domain name to lookup. - - name: replacement - type: keyword - description: The next name to query for NAPTR, SRV, or address records depending on the value of the flags field. This can be an absolute or relative domain name. Can be empty. - - name: retry - type: long - description: The time interval in seconds for which the secondary server will wait before attempting to recontact the primary server after a connection failure occurs. - - name: rname - type: keyword - description: The domain name which specifies the mailbox of the person responsible for this zone. - - name: serial - type: long - description: An unsigned 32-bit integer that specifies the serial number of the zone. Used to indicate that zone data was updated, so the secondary name server can initiate zone transfer. The range of the value is 0 to 4294967295. - - name: services - type: keyword - description: Specifies the service(s) available down this rewrite path. It may also specify the particular protocol that is used to talk with a service. A protocol must be specified if the flags field states that the NAPTR is terminal. If a protocol is specified, but the flags field does not state that the NAPTR is terminal, the next lookup must be for a NAPTR. The client may choose not to perform the next lookup if the protocol is unknown, but that behavior must not be relied upon. - - name: tag - type: keyword - description: The CAA record property tag string which indicates the type of CAA record. - - name: target - type: keyword - description: The target domain name to which the zone will be mapped. Can be empty. - - name: text - type: keyword - description: The semantics of the text depends on the domain where it is found. - - name: type - type: keyword - description: Type of TXT (Text) record. - - name: value - type: keyword - description: A string which contains the CAA record property value. - - name: weight - type: long - description: An unsigned 16-bit integer which specifies a relative weight for entries with the same priority. The range of the value is 0 to 65535. Larger weights should be given a proportionately higher probability of being selected. Domain administrators should use weight 0 when there isn’t any server selection to do, to make the RR easier to read for humans (less noisy). In the presence of records containing weights greater than 0, records with weight 0 should have a very small chance of being selected. - - name: source - type: keyword - description: The DNS resource record type-specific non-protocol source. The source is a combination of indicators, each tracking how the DNS resource record appeared in system. - - name: tags - type: flattened - description: The tags for the DNS resource record in JSON format. - - name: ttl - type: long - description: The record time to live value in seconds. The range of this value is 0 to 2147483647. Defaults to TTL value from the SOA record of the zone. - - name: type - type: keyword - description: The DNS resource record type specified in the textual mnemonic format or in the “TYPEnnn” format where “nnn” indicates the numeric type value. - - name: updated_at - type: date - description: The timestamp when the object has been updated. Equals to created_at if not updated after creation. - - name: view - type: keyword - description: The resource identifier. - - name: view_name - type: keyword - description: The display name of the DNS view that contains the parent zone of the DNS resource record. - - name: zone - type: keyword - description: The resource identifier. diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/manifest.yml b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/manifest.yml deleted file mode 100755 index 49b5d9f6a1..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/manifest.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Collect DNS Data logs from Infoblox BloxOne DDI -type: logs -streams: - - input: httpjson - title: DNS Data logs - description: Collect DNS Data logs from Infoblox BloxOne DDI. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the DHCP Lease events from Infoblox BloxOne DDI. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the BloxOne DDI API. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - bloxone_ddi_dns_data - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/sample_event.json b/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/sample_event.json deleted file mode 100755 index 9c800807b8..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/data_stream/dns_data/sample_event.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "@timestamp": "2022-07-20T09:59:59.184Z", - "agent": { - "ephemeral_id": "eb4c7711-a048-4458-a48c-5d2045f2d6b1", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dns_data", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": { - "ttl": 0 - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-20T09:59:59.184Z", - "dataset": "infoblox_bloxone_ddi.dns_data", - "id": "ghr123ghf", - "ingested": "2022-09-22T08:29:03Z", - "kind": "event", - "original": "{\"absolute_name_spec\":\"DNS Data Absolute Name\",\"absolute_zone_name\":\"DNS Data Absolute Zone Name\",\"comment\":\"DNS Data Comment\",\"created_at\":\"2022-07-20T09:59:59.184Z\",\"delegation\":\"DNS Data Delegation\",\"disabled\":true,\"dns_absolute_name_spec\":\"DNS Absolute Name\",\"dns_absolute_zone_name\":\"DNS Absolute Zone Name\",\"dns_name_in_zone\":\"DNS Name in Zone\",\"dns_rdata\":\"DNS RData\",\"id\":\"ghr123ghf\",\"inheritance_sources\":{\"ttl\":{\"action\":\"DNS Data Action\",\"display_name\":\"DNS Display Name\",\"source\":\"DNS Data Source\",\"value\":10}},\"name_in_zone\":\"DNS Data Name in zone\",\"options\":{\"address\":\"67.43.156.0\",\"check_rmz\":true,\"create_ptr\":false},\"rdata\":{\"address\":\"81.2.69.192\",\"cname\":\"DNS Data Canonical Name\",\"dhcid\":\"122zbczba12\",\"dname\":\"DNS Data dname\",\"exchange\":\"DNS Data Exchange\",\"expire\":23131,\"flags\":\"DNS Data Flags\",\"length_kind\":8,\"mname\":\"DNS Data mname\",\"negative_ttl\":213342,\"order\":123124,\"port\":80,\"preference\":12345363467,\"priority\":44,\"refresh\":10800,\"regexp\":\"none\",\"replacement\":\"DNS Data Replacement\",\"retry\":3600,\"rname\":\"DNS Data rname\",\"serial\":12314114,\"services\":\"DNS Data Test Services\",\"tag\":\"issue\",\"target\":\"DNS Data Target\",\"text\":\"DNS Data text field\",\"type\":\"32BIT\",\"value\":\"DNS Data Value\",\"weight\":0},\"source\":[\"STATIC\"],\"tags\":{\"message\":\"Hello\"},\"ttl\":0,\"type\":\"DNS Data Type\",\"updated_at\":\"2022-07-20T09:59:59.184Z\",\"view\":\"DNS Data View\",\"view_name\":\"DNS Data View Name\",\"zone\":\"DNS Data Zone\"}", - "type": [ - "protocol" - ] - }, - "infoblox_bloxone_ddi": { - "dns_data": { - "absolute": { - "name": { - "spec": "DNS Absolute Name" - }, - "zone": { - "name": "DNS Absolute Zone Name" - } - }, - "absolute_name": { - "spec": "DNS Data Absolute Name" - }, - "absolute_zone": { - "name": "DNS Data Absolute Zone Name" - }, - "comment": "DNS Data Comment", - "created_at": "2022-07-20T09:59:59.184Z", - "delegation": "DNS Data Delegation", - "disabled": true, - "id": "ghr123ghf", - "inheritance": { - "sources": { - "ttl": { - "action": "DNS Data Action", - "display": { - "name": "DNS Display Name" - }, - "source": "DNS Data Source", - "value": 10 - } - } - }, - "name_in": { - "zone": "DNS Name in Zone" - }, - "name_in_zone": "DNS Data Name in zone", - "options": { - "address": "67.43.156.0", - "check_rmz": true, - "create_ptr": false - }, - "rdata": { - "address": "81.2.69.192", - "cname": "DNS Data Canonical Name", - "dhcid": "122zbczba12", - "dname": "DNS Data dname", - "exchange": "DNS Data Exchange", - "expire": 23131, - "flags": "DNS Data Flags", - "length_kind": 8, - "mname": "DNS Data mname", - "negative_ttl": 213342, - "order": 123124, - "port": 80, - "preference": 12345363467, - "priority": 44, - "refresh": 10800, - "regexp": "none", - "replacement": "DNS Data Replacement", - "retry": 3600, - "rname": "DNS Data rname", - "serial": 12314114, - "services": "DNS Data Test Services", - "tag": "issue", - "target": "DNS Data Target", - "text": "DNS Data text field", - "type": "32BIT", - "value": "DNS Data Value", - "weight": 0 - }, - "rdata_value": "DNS RData", - "source": [ - "STATIC" - ], - "tags": { - "message": "Hello" - }, - "ttl": 0, - "type": "DNS Data Type", - "updated_at": "2022-07-20T09:59:59.184Z", - "view": "DNS Data View", - "view_name": "DNS Data View Name", - "zone": "DNS Data Zone" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "67.43.156.0", - "81.2.69.192" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "bloxone_ddi_dns_data" - ] -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.1/docs/README.md b/packages/infoblox_bloxone_ddi/0.1.1/docs/README.md deleted file mode 100755 index 5b86bc24bb..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/docs/README.md +++ /dev/null @@ -1,1520 +0,0 @@ -# Infoblox BloxOne DDI - -The [Infoblox BloxOne DDI](https://www.infoblox.com/products/bloxone-ddi/) integration allows you to monitor DNS, DHCP and IP address management activity. DDI is the foundation of core network services that enables all communications over an IP-based network. - -Use the Infoblox BloxOne DDI integration to collects and parses data from the REST APIs and then visualize that data in Kibana. - -## Data streams - -The Infoblox BloxOne DDI integration collects logs for three types of events: DHCP lease, DNS data and DNS config. - -**DHCP Lease** is a Infoblox BloxOne DDI service that stores information about leases. See more details about its API [here](https://csp.infoblox.com/apidoc?url=https%3A%2F%2Fcsp.infoblox.com%2Fapidoc%2Fdocs%2FDhcpLeases). - -**DNS Config** is a Infoblox BloxOne DDI service that provides cloud-based DNS configuration with on-prem host serving DNS protocol. See more details about its API [here](https://csp.infoblox.com/apidoc?url=https%3A%2F%2Fcsp.infoblox.com%2Fapidoc%2Fdocs%2FDnsConfig). - -**DNS Data** is a Infoblox BloxOne DDI service providing primary authoritative zone support. DNS Data is authoritative for all DNS resource records and is acting as a primary DNS server. See more details about its API [here](https://csp.infoblox.com/apidoc?url=https%3A%2F%2Fcsp.infoblox.com%2Fapidoc%2Fdocs%2FDnsData). - -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. - -This module has been tested against `Infoblox BloxOne DDI API (v1)`. - -## Setup - -### To collect data from Infoblox BloxOne DDI APIs, the user must have API Key. To create an API key follow the below steps: - -1. Log on to the Cloud Services Portal. -2. Go to **\ -> User Profile**. -3. Go to **User API Keys** page. -4. Click **Create** to create a new API key. Specify the following: - - **Name**: Specify the name of the key. - - **Expires at**: Specify the expiry. -5. Click **Save & Close**. The API Access Key Generated dialog is shown. -6. Click **Copy**. - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations**. -2. In the "Search for integrations" search bar, type **Infoblox BloxOne DDI**. -3. Click on **Infoblox BloxOne DDI** integration from the search results. -4. Click on **Add Infoblox BloxOne DDI** button to add Infoblox BloxOne DDI integration. -5. Enable the Integration to collect logs via API. - -## Logs Reference - -### dhcp_lease - -This is the `dhcp_lease` dataset. - -#### Example - -An example event for `dhcp_lease` looks as following: - -```json -{ - "@timestamp": "2022-07-11T11:51:15.417Z", - "agent": { - "ephemeral_id": "a4b27e2a-c005-43ce-9542-7548dcc7b414", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "id": "abc3212abc" - } - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dhcp_lease", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-09-22T08:27:40.118Z", - "dataset": "infoblox_bloxone_ddi.dhcp_lease", - "end": "2022-07-11T11:51:15.417Z", - "ingested": "2022-09-22T08:27:43Z", - "kind": "event", - "original": "{\"address\":\"81.2.69.192\",\"client_id\":\"abc3212abc\",\"ends\":\"2022-07-11T11:51:15.417Z\",\"fingerprint\":\"ab3213cbabab/abc23bca\",\"fingerprint_processed\":\"12abca32bca32abcd\",\"ha_group\":\"abc321cdcbda321\",\"hardware\":\"00:00:5E:00:53:00\",\"host\":\"admin\",\"hostname\":\"Host1\",\"iaid\":0,\"last_updated\":\"2022-07-11T11:51:15.417Z\",\"options\":{\"message\":\"Hello\"},\"preferred_lifetime\":\"2022-07-11T11:51:15.417Z\",\"protocol\":\"ip4\",\"space\":\"DHCP lease Space\",\"starts\":\"2022-07-14T11:51:15.417Z\",\"state\":\"used\",\"type\":\"DHCP lease Type\"}", - "start": "2022-07-14T11:51:15.417Z", - "type": [ - "protocol" - ] - }, - "host": { - "hostname": "Host1", - "name": "admin" - }, - "infoblox_bloxone_ddi": { - "dhcp_lease": { - "address": "81.2.69.192", - "client_id": "abc3212abc", - "ends": "2022-07-11T11:51:15.417Z", - "fingerprint": { - "processed": "12abca32bca32abcd", - "value": "ab3213cbabab/abc23bca" - }, - "ha_group": "abc321cdcbda321", - "hardware": "00-00-5E-00-53-00", - "host": "admin", - "hostname": "Host1", - "iaid": 0, - "last_updated": "2022-07-11T11:51:15.417Z", - "options": { - "message": "Hello" - }, - "preferred_lifetime": "2022-07-11T11:51:15.417Z", - "protocol": "ipv4", - "space": "DHCP lease Space", - "starts": "2022-07-14T11:51:15.417Z", - "state": "used", - "type": "DHCP lease Type" - } - }, - "input": { - "type": "httpjson" - }, - "network": { - "type": "ipv4" - }, - "related": { - "hosts": [ - "admin", - "Host1" - ], - "ip": [ - "81.2.69.192" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "infoblox_bloxone_ddi_dhcp_lease" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.address | The IP address of the DHCP lease in the format "a.b.c.d". This address will be marked as leased in IPAM while the lease exists. | ip | -| infoblox_bloxone_ddi.dhcp_lease.client_id | The client ID of the DHCP lease. It might be empty. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.ends | The time when the DHCP lease will expire. | date | -| infoblox_bloxone_ddi.dhcp_lease.fingerprint.processed | Indicates if the DHCP lease has been fingerprinted. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.fingerprint.value | The DHCP fingerprint of the lease. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.ha_group | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.hardware | The hardware address of the DHCP lease. This specifies the MAC address of the network interface on which the lease will be used. It consists of six groups of two hex digits in lower-case separated by colons. For example, "aa:bb:cc:dd:ee:ff". | keyword | -| infoblox_bloxone_ddi.dhcp_lease.host | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.hostname | The client hostname of the DHCP lease. This specifies the host name that the DHCP client sends to the DHCP server using DHCP option 12. It is a fully qualified domain name, consisting of a series of labels separated by dots. For example, "www.infoblox.com". It might be empty. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.iaid | Identity Association Identifier (IAID) of the lease. Applicable only for DHCPv6. | long | -| infoblox_bloxone_ddi.dhcp_lease.last_updated | The time when the DHCP lease was last updated. | date | -| infoblox_bloxone_ddi.dhcp_lease.options | The DHCP options of the lease in JSON format. | flattened | -| infoblox_bloxone_ddi.dhcp_lease.preferred_lifetime | The preferred time when the DHCP lease should expire. Applicable only for DHCPv6. | date | -| infoblox_bloxone_ddi.dhcp_lease.protocol | Lease protocol type. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.space | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.starts | The time when the DHCP lease was issued. | date | -| infoblox_bloxone_ddi.dhcp_lease.state | The state of the DHCP lease. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.type | Lease type. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | - - -### dns_config - -This is the `dns_config` dataset. - -#### Example - -An example event for `dns_config` looks as following: - -```json -{ - "@timestamp": "2022-07-15T06:55:25.978Z", - "agent": { - "ephemeral_id": "72747b3e-5f2e-4261-a994-aff0ac9b5be1", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dns_config", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": { - "ttl": 350 - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-15T06:55:25.978Z", - "dataset": "infoblox_bloxone_ddi.dns_config", - "id": "adv12rgfh", - "ingested": "2022-09-22T08:28:25Z", - "kind": "event", - "original": "{\"add_edns_option_in_outgoing_query\":true,\"comment\":\"DNS Config Comment\",\"created_at\":\"2022-07-15T06:55:25.978Z\",\"custom_root_ns\":[{\"address\":\"81.2.69.192\",\"fqdn\":\"custom fqdn\",\"protocol_fqdn\":\"custom protocol fqdn\"}],\"custom_root_ns_enabled\":true,\"disabled\":true,\"dnssec_enable_validation\":true,\"dnssec_enabled\":true,\"dnssec_root_keys\":[{\"algorithm\":30,\"protocol_zone\":\"Dnssec root protocol zone\",\"public_key\":\"Dnssec root Public Key\",\"sep\":true,\"zone\":\"Dnssec root Zone\"}],\"dnssec_trust_anchors\":[{\"algorithm\":10,\"protocol_zone\":\"Dnssec trust protocol zone\",\"public_key\":\"Dnssec trust Public Key\",\"sep\":true,\"zone\":\"Dnssec trust zone\"}],\"dnssec_validate_expiry\":true,\"ecs_enabled\":true,\"ecs_forwarding\":true,\"ecs_prefix_v4\":22,\"ecs_prefix_v6\":33,\"ecs_zones\":[{\"access\":\"ecs zones access\",\"fqdn\":\"ecs zones fqdn\",\"protocol_fqdn\":\"ecs zones protocol fqdn\"}],\"edns_udp_size\":568,\"forwarders\":[{\"address\":\"81.2.69.192\",\"fqdn\":\"forwarders fqdn\",\"protocol_fqdn\":\"forwarders protocol fqdn\"}],\"forwarders_only\":true,\"gss_tsig_enabled\":true,\"id\":\"adv12rgfh\",\"inheritance_sources\":{\"add_edns_option_in_outgoing_query\":{\"action\":\"inherit\",\"display_name\":\"displaynameadd_edns_option_in_outgoing_query\",\"source\":\"sourceadd_edns_option_in_outgoing_query\",\"value\":true},\"custom_root_ns_block\":{\"action\":\"override\",\"display_name\":\"displaynamecustom_root_ns_block\",\"source\":\"sourcecustom_root_ns_block\",\"value\":{\"custom_root_ns\":[{\"address\":\"67.43.156.0\",\"fqdn\":\"fqdn_custom_root_ns\",\"protocol_fqdn\":\"protocolfqdn_custom_root_ns\"}],\"custom_root_ns_enabled\":true}},\"dnssec_validation_block\":{\"action\":\"inherit\",\"display_name\":\"displaynamednssec_validation_block\",\"source\":\"sourcednssec_validation_block\",\"value\":{\"dnssec_enable_validation\":true,\"dnssec_enabled\":true,\"dnssec_trust_anchors\":[{\"algorithm\":8,\"protocol_zone\":\"protocolzonednssec_trust_anchors\",\"public_key\":\"publickeydnssec_trust_anchors\",\"sep\":false,\"zone\":\"is3zone\"}],\"dnssec_validate_expiry\":true}},\"ecs_block\":{\"action\":\"inherit\",\"display_name\":\"displaynameecs_block\",\"source\":\"sourceecs_block\",\"value\":{\"ecs_enabled\":false,\"ecs_forwarding\":true,\"ecs_prefix_v4\":4,\"ecs_prefix_v6\":10,\"ecs_zones\":[{\"access\":\"inherit\",\"fqdn\":\"fqdnecs_block\",\"protocol_fqdn\":\"protocol_fqdnecs_block\"}]}},\"ecs_zones\":{\"action\":\"override\",\"display_name\":\"displaynameecs_zones\",\"source\":\"sourceecs_zones\",\"value\":{\"ecs_enabled\":false,\"ecs_forwarding\":true,\"ecs_prefix_v4\":4,\"ecs_prefix_v6\":12,\"ecs_zones\":[{\"access\":\"access_ecs_zones\",\"fqdn\":\"fqdn_ecs_zones\",\"protocol_fqdn\":\"protocolfqdn_ecs_zones\"}]}},\"edns_udp_size\":{\"action\":\"inherit\",\"display_name\":\"displaynameedns_udp_size\",\"source\":\"sourceedns_udp_size\",\"value\":55},\"forwarders_block\":{\"action\":\"inherit\",\"display_name\":\"displaynameforwarders_block\",\"source\":\"sourceforwarders_block\",\"value\":{\"forwarders\":[{\"address\":\"89.160.20.128\",\"fqdn\":\"forwarders_fqdn\",\"protocol_fqdn\":\"forwarders_protocolfqdn\"}],\"forwarders_only\":true}},\"gss_tsig_enabled\":{\"action\":\"inherit\",\"display_name\":\"displaynamegss_tsig_enabled\",\"source\":\"sourcegss_tsig_enabled\",\"value\":true},\"lame_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamelame_ttl\",\"source\":\"sourcelame_ttl\",\"value\":45},\"match_recursive_only\":{\"action\":\"inherit\",\"display_name\":\"displaynamematch_recursive_only\",\"source\":\"sourcematch_recursive_only\",\"value\":false},\"max_cache_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_cache_ttl\",\"source\":\"sourcemax_cache_ttl\",\"value\":13},\"max_negative_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_negative_ttl\",\"source\":\"sourcemax_negative_ttl\",\"value\":12},\"max_udp_size\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_udp_size\",\"source\":\"sourcemax_udp_size\",\"value\":11},\"minimal_responses\":{\"action\":\"inherit\",\"display_name\":\"displaynameminimal_responses\",\"source\":\"sourceminimal_responses\",\"value\":true},\"notify\":{\"action\":\"inherit\",\"display_name\":\"displayname_notify\",\"source\":\"source_notify\",\"value\":true},\"query_acl\":{\"action\":\"override\",\"display_name\":\"displaynamequery_acl\",\"source\":\"sourcequery_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"aclvalue_query_acl\",\"address\":\"89.160.20.128\",\"element\":\"elementvaluequery_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha256\",\"comment\":\"commentquery_acl\",\"key\":\"keyquery_acl\",\"name\":\"namequery_acl\",\"protocol_name\":\"protocolname_query_acl\",\"secret\":\"secretquery_acl\"}}]},\"recursion_acl\":{\"action\":\"override\",\"display_name\":\"displaynamerecursion_acl\",\"source\":\"sourcerecursion_acl\",\"value\":[{\"access\":\"deny\",\"acl\":\"aclrecursion_acl\",\"address\":\"89.160.20.128\",\"element\":\"elementrecursion_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentrecursion_acl\",\"key\":\"keyrecursion_acl\",\"name\":\"namerecursion_acl\",\"protocol_name\":\"protocolnamerecursion_acl\",\"secret\":\"secretrecursion_acl\"}}]},\"recursion_enabled\":{\"action\":\"inherit\",\"display_name\":\"displaynamerecursion_enabled\",\"source\":\"sourcerecursion_enabled\",\"value\":true},\"synthesize_address_records_from_https\":{\"action\":\"inherit\",\"display_name\":\"displaynamesynthesize_address_records_from_https\",\"source\":\"sourcesynthesize_address_records_from_https\",\"value\":true},\"transfer_acl\":{\"action\":\"inherit\",\"display_name\":\"displaynametransfer_acl\",\"source\":\"sourcetransfer_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"acltransfer_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementtransfer_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commenttransfer_acl\",\"key\":\"keytransfer_acl\",\"name\":\"nametransfer_acl\",\"protocol_name\":\"protocolnametransfer_acl\",\"secret\":\"secrettransfer_acl\"}}]},\"update_acl\":{\"action\":\"override\",\"display_name\":\"displaynameupdate_acl\",\"source\":\"sourceupdate_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"aclupdate_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementupdate_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentupdate_acl\",\"key\":\"keyupdate_acl\",\"name\":\"nameupdate_acl\",\"protocol_name\":\"protocolnameupdate_acl\",\"secret\":\"secretupdate_acl\"}}]},\"use_forwarders_for_subzones\":{\"action\":\"override\",\"display_name\":\"displaynameuse_forwarders_for_subzones\",\"source\":\"sourceuse_forwarders_for_subzones\",\"value\":false},\"zone_authority\":{\"default_ttl\":{\"action\":\"override\",\"display_name\":\"displaynamezone_authority\",\"source\":\"sourcezone_authority\",\"value\":50},\"expire\":{\"action\":\"inherit\",\"display_name\":\"displaynameexpire\",\"source\":\"sourceexpire\",\"value\":70},\"mname_block\":{\"action\":\"inherit\",\"display_name\":\"displaynamemname_block\",\"source\":\"sourcemname_block\",\"value\":{\"mname\":\"mnamevaluemname_block\",\"protocol_mname\":\"protocolmnamemname_block\",\"use_default_mname\":true}},\"negative_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamenegative_ttl\",\"source\":\"sourcenegative_ttl\",\"value\":90},\"protocol_rname\":{\"action\":\"inherit\",\"display_name\":\"displaynameprotocol_rname\",\"source\":\"sourceprotocol_rname\",\"value\":\"valueprotocol_rname\"},\"refresh\":{\"action\":\"inherit\",\"display_name\":\"displayname_refresh\",\"source\":\"source_refresh\",\"value\":40},\"retry\":{\"action\":\"inherit\",\"display_name\":\"displayname_retry\",\"source\":\"source_retry\",\"value\":570},\"rname\":{\"action\":\"inherit\",\"display_name\":\"displayname_rname\",\"source\":\"source_rname\",\"value\":\"value_rname\"}}},\"ip_spaces\":[\"testipspaces\"],\"lame_ttl\":350,\"match_clients_acl\":[{\"access\":\"deny\",\"acl\":\"aclmatch_clients_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementmatch_clients_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha512\",\"comment\":\"commentmatch_clients_acl\",\"key\":\"keymatch_clients_acl\",\"name\":\"namematch_clients_acl\",\"protocol_name\":\"protocolnamematch_clients_acl\",\"secret\":\"secretmatch_clients_acl\"}}],\"match_destinations_acl\":[{\"access\":\"allow\",\"acl\":\"aclmatch_destinations_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementmatch_destinations_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentmatch_destinations_acl\",\"key\":\"keymatch_destinations_acl\",\"name\":\"namematch_destinations_acl\",\"protocol_name\":\"protocolnamematch_destinations_acl\",\"secret\":\"secretmatch_destinations_acl\"}}],\"match_recursive_only\":true,\"max_cache_ttl\":90,\"max_negative_ttl\":500,\"max_udp_size\":890,\"minimal_responses\":true,\"name\":\"string\",\"notify\":true,\"query_acl\":[{\"access\":\"accessquery_acl\",\"acl\":\"aclquery_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementquery_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commentquery_acl\",\"key\":\"keyquery_acl\",\"name\":\"namequery_acl\",\"protocol_name\":\"protocolnamequery_acl\",\"secret\":\"secretquery_acl\"}}],\"recursion_acl\":[{\"access\":\"allow\",\"acl\":\"aclrecursion_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementrecursion_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha1\",\"comment\":\"commentrecursion_acl\",\"key\":\"keyrecursion_acl\",\"name\":\"namerecursion_acl\",\"protocol_name\":\"protocolnamerecursion_acl\",\"secret\":\"secretrecursion_acl\"}}],\"recursion_enabled\":true,\"synthesize_address_records_from_https\":false,\"tags\":{\"message\":\"Hello\"},\"transfer_acl\":[{\"access\":\"allow\",\"acl\":\"acltransfer_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementtransfer_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commenttransfer_acl\",\"key\":\"keytransfer_acl\",\"name\":\"nametransfer_acl\",\"protocol_name\":\"protocolnametransfer_acl\",\"secret\":\"secrettransfer_acl\"}}],\"update_acl\":[{\"access\":\"allow\",\"acl\":\"aclupdate_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementupdate_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha1\",\"comment\":\"commentupdate_acl\",\"key\":\"keyupdate_acl\",\"name\":\"nameupdate_acl\",\"protocol_name\":\"protocolnameupdate_acl\",\"secret\":\"secretupdate_acl\"}}],\"updated_at\":\"2022-07-15T06:55:25.978Z\",\"use_forwarders_for_subzones\":true,\"zone_authority\":{\"default_ttl\":20,\"expire\":10,\"mname\":\"mnamezone_authority\",\"negative_ttl\":30,\"protocol_mname\":\"protocolmnamezone_authority\",\"protocol_rname\":\"protocolrnamezone_authority\",\"refresh\":50,\"retry\":100,\"rname\":\"string\",\"use_default_mname\":true}}", - "type": [ - "protocol" - ] - }, - "infoblox_bloxone_ddi": { - "dns_config": { - "add_edns": { - "option_in": { - "outgoing_query": true - } - }, - "comment": "DNS Config Comment", - "created_at": "2022-07-15T06:55:25.978Z", - "custom_root_ns": [ - { - "address": "81.2.69.192", - "fqdn": "custom fqdn", - "protocol": { - "fqdn": "custom protocol fqdn" - } - } - ], - "custom_root_ns_enabled": true, - "disabled": true, - "dnssec": { - "enable_validation": true, - "enabled": true, - "root_keys": [ - { - "algorithm": 30, - "protocol": { - "zone": "Dnssec root protocol zone" - }, - "public": "Dnssec root Public Key", - "sep": true, - "zone": "Dnssec root Zone" - } - ], - "trust_anchors": [ - { - "algorithm": 10, - "protocol": { - "zone": "Dnssec trust protocol zone" - }, - "public_key": "Dnssec trust Public Key", - "sep": true, - "zone": "Dnssec trust zone" - } - ], - "validate_expiry": true - }, - "ecs": { - "enabled": true, - "forwarding": true, - "prefix_v4": 22, - "prefix_v6": 33, - "zones": [ - { - "access": "ecs zones access", - "fqdn": "ecs zones fqdn", - "protocol": { - "fqdn": "ecs zones protocol fqdn" - } - } - ] - }, - "edns": { - "udp": { - "size": 568 - } - }, - "forwarders": [ - { - "address": "81.2.69.192", - "fqdn": "forwarders fqdn", - "protocol": { - "fqdn": "forwarders protocol fqdn" - } - } - ], - "forwarders_only": true, - "gss_tsig_enabled": true, - "id": "adv12rgfh", - "inheritance": { - "sources": { - "add_edns": { - "option_in": { - "outgoing_query": { - "action": "inherit", - "display": { - "name": "displaynameadd_edns_option_in_outgoing_query" - }, - "source": "sourceadd_edns_option_in_outgoing_query", - "value": true - } - } - }, - "custom_root_ns": { - "block": { - "action": "override", - "display": { - "name": "displaynamecustom_root_ns_block" - }, - "source": "sourcecustom_root_ns_block", - "value": [ - { - "address": "67.43.156.0", - "fqdn": "fqdn_custom_root_ns", - "protocol": { - "fqdn": "protocolfqdn_custom_root_ns" - } - } - ], - "value_enabled": true - } - }, - "dnssec": { - "validation": { - "block": { - "action": "inherit", - "display": { - "name": "displaynamednssec_validation_block" - }, - "source": "sourcednssec_validation_block", - "value": { - "enable": true, - "enabled": true, - "trust_anchors": [ - { - "algorithm": 8, - "protocol": { - "zone": "protocolzonednssec_trust_anchors" - }, - "public_key": "publickeydnssec_trust_anchors", - "sep": false, - "zone": "is3zone" - } - ], - "validate_expiry": true - } - } - } - }, - "ecs": { - "block": { - "action": "inherit", - "display": { - "name": "displaynameecs_block" - }, - "source": "sourceecs_block", - "value": { - "enabled": false, - "forwarding": true, - "prefix_v4": 4, - "prefix_v6": 10, - "zones": [ - { - "access": "inherit", - "fqdn": "fqdnecs_block", - "protocol": { - "fqdn": "protocol_fqdnecs_block" - } - } - ] - } - } - }, - "edns": { - "udp": { - "size": { - "action": "inherit", - "display": { - "name": "displaynameedns_udp_size" - }, - "source": "sourceedns_udp_size", - "value": 55 - } - } - }, - "forwarders": { - "block": { - "action": "inherit", - "display": { - "name": "displaynameforwarders_block" - }, - "source": "sourceforwarders_block", - "value": [ - { - "address": "89.160.20.128", - "fqdn": "forwarders_fqdn", - "protocol": { - "fqdn": "forwarders_protocolfqdn" - } - } - ], - "value_only": true - } - }, - "gss_tsig_enabled": { - "action": "inherit", - "display": { - "name": "displaynamegss_tsig_enabled" - }, - "source": "sourcegss_tsig_enabled", - "value": true - }, - "lame_ttl": { - "action": "inherit", - "display": { - "name": "displaynamelame_ttl" - }, - "source": "sourcelame_ttl", - "value": 45 - }, - "match_recursive_only": { - "action": "inherit", - "display": { - "name": "displaynamematch_recursive_only" - }, - "source": "sourcematch_recursive_only", - "value": false - }, - "max_cache_ttl": { - "action": "inherit", - "display": { - "name": "displaynamemax_cache_ttl" - }, - "source": "sourcemax_cache_ttl", - "value": 13 - }, - "max_negative_ttl": { - "action": "inherit", - "display": { - "name": "displaynamemax_negative_ttl" - }, - "source": "sourcemax_negative_ttl", - "value": 12 - }, - "max_udp_size": { - "action": "inherit", - "display": { - "name": "displaynamemax_udp_size" - }, - "source": "sourcemax_udp_size", - "value": 11 - }, - "minimal_responses": { - "action": "inherit", - "display": { - "name": "displaynameminimal_responses" - }, - "source": "sourceminimal_responses", - "value": true - }, - "notify": { - "action": "inherit", - "display": { - "name": "displayname_notify" - }, - "source": "source_notify", - "value": true - }, - "query_acl": { - "action": "override", - "display": { - "name": "displaynamequery_acl" - }, - "source": "sourcequery_acl", - "value": [ - { - "access": "allow", - "acl": "aclvalue_query_acl", - "address": "89.160.20.128", - "element": "elementvaluequery_acl", - "tsig_key": { - "algorithm": "hmac_sha256", - "comment": "commentquery_acl", - "key": "keyquery_acl", - "name": "namequery_acl", - "protocol": { - "name": "protocolname_query_acl" - }, - "secret": "secretquery_acl" - } - } - ] - }, - "recursion_acl": { - "action": "override", - "display": { - "name": "displaynamerecursion_acl" - }, - "source": "sourcerecursion_acl", - "value": [ - { - "access": "deny", - "acl": "aclrecursion_acl", - "address": "89.160.20.128", - "element": "elementrecursion_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentrecursion_acl", - "key": "keyrecursion_acl", - "name": "namerecursion_acl", - "protocol": { - "name": "protocolnamerecursion_acl" - }, - "secret": "secretrecursion_acl" - } - } - ] - }, - "recursion_enabled": { - "action": "inherit", - "display": { - "name": "displaynamerecursion_enabled" - }, - "source": "sourcerecursion_enabled", - "value": true - }, - "synthesize": { - "address_records_from_https": { - "action": "inherit", - "display": { - "name": "displaynamesynthesize_address_records_from_https" - }, - "name": "sourcesynthesize_address_records_from_https", - "value": true - } - }, - "transfer_acl": { - "action": "inherit", - "display": { - "name": "displaynametransfer_acl" - }, - "source": "sourcetransfer_acl", - "value": [ - { - "access": "allow", - "acl": "acltransfer_acl", - "address": "216.160.83.56", - "element": "elementtransfer_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commenttransfer_acl", - "key": "keytransfer_acl", - "name": "nametransfer_acl", - "protocol": { - "name": "protocolnametransfer_acl" - }, - "secret": "secrettransfer_acl" - } - } - ] - }, - "update_acl": { - "action": "override", - "display": { - "name": "displaynameupdate_acl" - }, - "source": "sourceupdate_acl", - "value": [ - { - "access": "allow", - "acl": "aclupdate_acl", - "address": "216.160.83.56", - "element": "elementupdate_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentupdate_acl", - "key": "keyupdate_acl", - "name": "nameupdate_acl", - "protocol": { - "name": "protocolnameupdate_acl" - }, - "secret": "secretupdate_acl" - } - } - ] - }, - "use_forwarders_for_subzones": { - "action": "override", - "display": { - "name": "displaynameuse_forwarders_for_subzones" - }, - "source": "sourceuse_forwarders_for_subzones", - "value": false - }, - "zone_authority": { - "default_ttl": { - "action": "override", - "display": { - "name": "displaynamezone_authority" - }, - "source": "sourcezone_authority", - "value": 50 - }, - "expire": { - "action": "inherit", - "display": { - "name": "displaynameexpire" - }, - "source": "sourceexpire", - "value": 70 - }, - "mname_block": { - "action": "inherit", - "display": { - "name": "displaynamemname_block" - }, - "source": "sourcemname_block", - "value": { - "isdefault": true, - "protocol": { - "mname": "protocolmnamemname_block" - } - } - }, - "mname_block_value": "mnamevaluemname_block", - "negative_ttl": { - "action": "inherit", - "display": { - "name": "displaynamenegative_ttl" - }, - "source": "sourcenegative_ttl", - "value": 90 - }, - "protocol_rname": { - "action": "inherit", - "display": { - "name": "displaynameprotocol_rname" - }, - "source": "sourceprotocol_rname", - "value": "valueprotocol_rname" - }, - "refresh": { - "action": "inherit", - "display": { - "name": "displayname_refresh" - }, - "source": "source_refresh", - "value": 40 - }, - "retry": { - "action": "inherit", - "display": { - "name": "displayname_retry" - }, - "source": "source_retry", - "value": 570 - }, - "rname": { - "action": "inherit", - "display": { - "name": "displayname_rname" - }, - "source": "source_rname", - "value": "value_rname" - } - } - } - }, - "ip_spaces": [ - "testipspaces" - ], - "lame_ttl": 350, - "match_clients_acl": [ - { - "access": "deny", - "address": "81.2.69.192", - "element": "elementmatch_clients_acl", - "tsig_key": { - "algorithm": "hmac_sha512", - "comment": "commentmatch_clients_acl", - "key": "keymatch_clients_acl", - "name": "namematch_clients_acl", - "protocol": { - "name": "protocolnamematch_clients_acl" - }, - "secret": "secretmatch_clients_acl" - }, - "value": "aclmatch_clients_acl" - } - ], - "match_destinations_acl": [ - { - "access": "allow", - "address": "81.2.69.192", - "element": "elementmatch_destinations_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentmatch_destinations_acl", - "key": "keymatch_destinations_acl", - "name": "namematch_destinations_acl", - "protocol": { - "name": "protocolnamematch_destinations_acl" - }, - "secret": "secretmatch_destinations_acl" - }, - "value": "aclmatch_destinations_acl" - } - ], - "match_recursive_only": true, - "max_cache_ttl": 90, - "max_negative_ttl": 500, - "max_udp_size": 890, - "minimal_responses": true, - "name": "string", - "notify": true, - "query_acl": [ - { - "access": "accessquery_acl", - "address": "81.2.69.192", - "element": "elementquery_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commentquery_acl", - "key": "keyquery_acl", - "name": "namequery_acl", - "protocol": { - "name": "protocolnamequery_acl" - }, - "secret": "secretquery_acl" - }, - "value": "aclquery_acl" - } - ], - "recursion_acl": [ - { - "access": "allow", - "address": "81.2.69.192", - "element": "elementrecursion_acl", - "tsig_key": { - "algorithm": "hmac_sha1", - "comment": "commentrecursion_acl", - "key": "keyrecursion_acl", - "name": "namerecursion_acl", - "protocol": { - "name": "protocolnamerecursion_acl" - }, - "secret": "secretrecursion_acl" - }, - "value": "aclrecursion_acl" - } - ], - "recursion_enabled": true, - "synthesize": { - "address_records_from_https": false - }, - "tags": { - "message": "Hello" - }, - "transfer_acl": [ - { - "access": "allow", - "address": "216.160.83.56", - "element": "elementtransfer_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commenttransfer_acl", - "key": "keytransfer_acl", - "name": "nametransfer_acl", - "protocol": { - "name": "protocolnametransfer_acl" - }, - "secret": "secrettransfer_acl" - }, - "value": "acltransfer_acl" - } - ], - "update_acl": [ - { - "access": "allow", - "address": "216.160.83.56", - "element": "elementupdate_acl", - "tsig_key": { - "algorithm": "hmac_sha1", - "comment": "commentupdate_acl", - "key": "keyupdate_acl", - "name": "nameupdate_acl", - "protocol": { - "name": "protocolnameupdate_acl" - }, - "secret": "secretupdate_acl" - }, - "value": "aclupdate_acl" - } - ], - "updated_at": "2022-07-15T06:55:25.978Z", - "use_forwarders_for_subzones": true, - "zone_authority": { - "default_ttl": 20, - "expire": 10, - "mname": "mnamezone_authority", - "negative_ttl": 30, - "protocol": { - "mname": "protocolmnamezone_authority", - "rname": "protocolrnamezone_authority" - }, - "refresh": 50, - "retry": 100, - "rname": "string", - "use_default_mname": true - } - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hash": [ - "hmac_sha256", - "hmac_sha384", - "hmac_sha224", - "hmac_sha512", - "hmac_sha1" - ], - "ip": [ - "81.2.69.192", - "67.43.156.0", - "89.160.20.128", - "216.160.83.56" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "infoblox_bloxone_ddi_dns_config" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| infoblox_bloxone_ddi.dns_config.add_edns.option_in.outgoing_query | add_edns_option_in_outgoing_query adds client IP, MAC address and view name into outgoing recursive query. | boolean | -| infoblox_bloxone_ddi.dns_config.comment | Optional. Comment for view. | keyword | -| infoblox_bloxone_ddi.dns_config.created_at | The timestamp when the object has been created. | date | -| infoblox_bloxone_ddi.dns_config.custom_root_ns.address | IPv4 address. | ip | -| infoblox_bloxone_ddi.dns_config.custom_root_ns.fqdn | FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.custom_root_ns.protocol.fqdn | FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.custom_root_ns_enabled | Optional. true to use custom root nameservers instead of the default ones. | boolean | -| infoblox_bloxone_ddi.dns_config.disabled | Optional. true to disable object. A disabled object is effectively non-existent when generating configuration. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.enable_validation | Optional. true to perform DNSSEC validation. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.enabled | Optional. Master toggle for all DNSSEC processing. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.algorithm | Key algorithm. Algorithm values are as per standards. | long | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.protocol.zone | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.public | DNSSEC key data. Non-empty, valid base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.sep | Optional. Secure Entry Point flag. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.zone | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.algorithm | Key algorithm. Algorithm values are as per standards. | long | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.protocol.zone | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.public_key | DNSSEC key data. Non-empty, valid base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.sep | Optional. Secure Entry Point flag. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.zone | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.validate_expiry | Optional. true to reject expired DNSSEC keys. | boolean | -| infoblox_bloxone_ddi.dns_config.ecs.enabled | Optional. true to enable EDNS client subnet for recursive queries. | boolean | -| infoblox_bloxone_ddi.dns_config.ecs.forwarding | Optional. true to enable ECS options in outbound queries. This functionality has additional overhead so it is disabled by default. | boolean | -| infoblox_bloxone_ddi.dns_config.ecs.prefix_v4 | Optional. Maximum scope length for v4 ECS. | long | -| infoblox_bloxone_ddi.dns_config.ecs.prefix_v6 | Optional. Maximum scope length for v6 ECS. | long | -| infoblox_bloxone_ddi.dns_config.ecs.zones.access | Access control for zone. | keyword | -| infoblox_bloxone_ddi.dns_config.ecs.zones.fqdn | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.ecs.zones.protocol.fqdn | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.edns.udp.size | Optional. edns_udp_size represents the edns UDP size. | long | -| infoblox_bloxone_ddi.dns_config.forwarders.address | Server IP address. | ip | -| infoblox_bloxone_ddi.dns_config.forwarders.fqdn | Server FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.forwarders.protocol.fqdn | Server FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.forwarders_only | Optional. true to only forward. | boolean | -| infoblox_bloxone_ddi.dns_config.gss_tsig_enabled | gss_tsig_enabled enables/disables GSS-TSIG signed dynamic updates. | boolean | -| infoblox_bloxone_ddi.dns_config.id | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value.address | IPv4 address. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value.fqdn | Optional. Field config for custom_root_ns_enabled field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value.protocol.fqdn | FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value_enabled | FQDN in punycode. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.enable | Optional. Field config for dnssec_enable_validation field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.enabled | Optional. Field config for dnssec_enabled field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.algorithm | Key algorithm. Algorithm values are as per standards. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.protocol.zone | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.public_key | DNSSEC key data. Non-empty, valid base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.sep | Optional. Secure Entry Point flag. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.zone | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.validate_expiry | Optional. Field config for dnssec_validate_expiry field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.enabled | Optional. Field config for ecs_enabled field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.forwarding | Optional. Field config for ecs_forwarding field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.prefix_v4 | Optional. Field config for ecs_prefix_v4 field. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.prefix_v6 | Optional. Field config for ecs_prefix_v6 field. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.zones.access | Access control for zone. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.zones.fqdn | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.zones.protocol.fqdn | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value.address | Server IP address. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value.fqdn | Server FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value.protocol.fqdn | Server FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value_only | Optional. Field config for forwarders_only field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.acl | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.acl | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.name | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.acl | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.acl | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.value.isdefault | Optional. Use default value for master name server. Defaults to true. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.value.protocol.mname | Optional. Master name server in punycode. Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block_value | Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.value | The inherited value. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.value | The inherited value. | keyword | -| infoblox_bloxone_ddi.dns_config.ip_spaces | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.lame_ttl | Optional. Unused in the current on-prem DNS server implementation. | long | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.match_recursive_only | Optional. If true only recursive queries from matching clients access the view. | boolean | -| infoblox_bloxone_ddi.dns_config.max_cache_ttl | Optional. Seconds to cache positive responses. | long | -| infoblox_bloxone_ddi.dns_config.max_negative_ttl | Optional. Seconds to cache negative responses. | long | -| infoblox_bloxone_ddi.dns_config.max_udp_size | Optional. max_udp_size represents maximum UDP payload size. | long | -| infoblox_bloxone_ddi.dns_config.minimal_responses | Optional. When enabled, the DNS server will only add records to the authority and additional data sections when they are required. | boolean | -| infoblox_bloxone_ddi.dns_config.name | Name of view. | keyword | -| infoblox_bloxone_ddi.dns_config.notify | notify all external secondary DNS servers. | boolean | -| infoblox_bloxone_ddi.dns_config.query_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.query_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.recursion_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_enabled | Optional. true to allow recursive DNS queries. | boolean | -| infoblox_bloxone_ddi.dns_config.synthesize.address_records_from_https | synthesize_address_records_from_https enables/disables creation of A/AAAA records from HTTPS RR. | boolean | -| infoblox_bloxone_ddi.dns_config.tags | Tagging specifics. | flattened | -| infoblox_bloxone_ddi.dns_config.transfer_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.transfer_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.update_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.updated_at | The timestamp when the object has been updated. Equals to created_at if not updated after creation. | date | -| infoblox_bloxone_ddi.dns_config.use_forwarders_for_subzones | Optional. Use default forwarders to resolve queries for subzones. | boolean | -| infoblox_bloxone_ddi.dns_config.zone_authority.default_ttl | Optional. ZoneAuthority default ttl for resource records in zone (value in seconds). | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.expire | Optional. ZoneAuthority expire time in seconds. Defaults to 2419200. | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.mname | Optional. ZoneAuthority master name server (partially qualified domain name) Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.zone_authority.negative_ttl | Optional. ZoneAuthority negative caching (minimum) ttl in seconds. | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.protocol.mname | Optional. ZoneAuthority master name server in punycode. Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.zone_authority.protocol.rname | Optional. A domain name which specifies the mailbox of the person responsible for this zone. Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.zone_authority.refresh | Optional. ZoneAuthority refresh. Defaults to 10800. | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.retry | Optional. ZoneAuthority retry. Defaults to 3600. | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.rname | Optional. ZoneAuthority rname. Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.zone_authority.use_default_mname | Optional. Use default value for master name server. Defaults to true. | boolean | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | - - -### dns_data - -This is the `dns_data` dataset. - -#### Example - -An example event for `dns_data` looks as following: - -```json -{ - "@timestamp": "2022-07-20T09:59:59.184Z", - "agent": { - "ephemeral_id": "eb4c7711-a048-4458-a48c-5d2045f2d6b1", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dns_data", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": { - "ttl": 0 - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-20T09:59:59.184Z", - "dataset": "infoblox_bloxone_ddi.dns_data", - "id": "ghr123ghf", - "ingested": "2022-09-22T08:29:03Z", - "kind": "event", - "original": "{\"absolute_name_spec\":\"DNS Data Absolute Name\",\"absolute_zone_name\":\"DNS Data Absolute Zone Name\",\"comment\":\"DNS Data Comment\",\"created_at\":\"2022-07-20T09:59:59.184Z\",\"delegation\":\"DNS Data Delegation\",\"disabled\":true,\"dns_absolute_name_spec\":\"DNS Absolute Name\",\"dns_absolute_zone_name\":\"DNS Absolute Zone Name\",\"dns_name_in_zone\":\"DNS Name in Zone\",\"dns_rdata\":\"DNS RData\",\"id\":\"ghr123ghf\",\"inheritance_sources\":{\"ttl\":{\"action\":\"DNS Data Action\",\"display_name\":\"DNS Display Name\",\"source\":\"DNS Data Source\",\"value\":10}},\"name_in_zone\":\"DNS Data Name in zone\",\"options\":{\"address\":\"67.43.156.0\",\"check_rmz\":true,\"create_ptr\":false},\"rdata\":{\"address\":\"81.2.69.192\",\"cname\":\"DNS Data Canonical Name\",\"dhcid\":\"122zbczba12\",\"dname\":\"DNS Data dname\",\"exchange\":\"DNS Data Exchange\",\"expire\":23131,\"flags\":\"DNS Data Flags\",\"length_kind\":8,\"mname\":\"DNS Data mname\",\"negative_ttl\":213342,\"order\":123124,\"port\":80,\"preference\":12345363467,\"priority\":44,\"refresh\":10800,\"regexp\":\"none\",\"replacement\":\"DNS Data Replacement\",\"retry\":3600,\"rname\":\"DNS Data rname\",\"serial\":12314114,\"services\":\"DNS Data Test Services\",\"tag\":\"issue\",\"target\":\"DNS Data Target\",\"text\":\"DNS Data text field\",\"type\":\"32BIT\",\"value\":\"DNS Data Value\",\"weight\":0},\"source\":[\"STATIC\"],\"tags\":{\"message\":\"Hello\"},\"ttl\":0,\"type\":\"DNS Data Type\",\"updated_at\":\"2022-07-20T09:59:59.184Z\",\"view\":\"DNS Data View\",\"view_name\":\"DNS Data View Name\",\"zone\":\"DNS Data Zone\"}", - "type": [ - "protocol" - ] - }, - "infoblox_bloxone_ddi": { - "dns_data": { - "absolute": { - "name": { - "spec": "DNS Absolute Name" - }, - "zone": { - "name": "DNS Absolute Zone Name" - } - }, - "absolute_name": { - "spec": "DNS Data Absolute Name" - }, - "absolute_zone": { - "name": "DNS Data Absolute Zone Name" - }, - "comment": "DNS Data Comment", - "created_at": "2022-07-20T09:59:59.184Z", - "delegation": "DNS Data Delegation", - "disabled": true, - "id": "ghr123ghf", - "inheritance": { - "sources": { - "ttl": { - "action": "DNS Data Action", - "display": { - "name": "DNS Display Name" - }, - "source": "DNS Data Source", - "value": 10 - } - } - }, - "name_in": { - "zone": "DNS Name in Zone" - }, - "name_in_zone": "DNS Data Name in zone", - "options": { - "address": "67.43.156.0", - "check_rmz": true, - "create_ptr": false - }, - "rdata": { - "address": "81.2.69.192", - "cname": "DNS Data Canonical Name", - "dhcid": "122zbczba12", - "dname": "DNS Data dname", - "exchange": "DNS Data Exchange", - "expire": 23131, - "flags": "DNS Data Flags", - "length_kind": 8, - "mname": "DNS Data mname", - "negative_ttl": 213342, - "order": 123124, - "port": 80, - "preference": 12345363467, - "priority": 44, - "refresh": 10800, - "regexp": "none", - "replacement": "DNS Data Replacement", - "retry": 3600, - "rname": "DNS Data rname", - "serial": 12314114, - "services": "DNS Data Test Services", - "tag": "issue", - "target": "DNS Data Target", - "text": "DNS Data text field", - "type": "32BIT", - "value": "DNS Data Value", - "weight": 0 - }, - "rdata_value": "DNS RData", - "source": [ - "STATIC" - ], - "tags": { - "message": "Hello" - }, - "ttl": 0, - "type": "DNS Data Type", - "updated_at": "2022-07-20T09:59:59.184Z", - "view": "DNS Data View", - "view_name": "DNS Data View Name", - "zone": "DNS Data Zone" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "67.43.156.0", - "81.2.69.192" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "bloxone_ddi_dns_data" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| infoblox_bloxone_ddi.dns_data.absolute.name.spec | The DNS protocol textual representation of absolute_name_spec. | keyword | -| infoblox_bloxone_ddi.dns_data.absolute.zone.name | The DNS protocol textual representation of the absolute domain name of the zone where this record belongs. | keyword | -| infoblox_bloxone_ddi.dns_data.absolute_name.spec | Synthetic field, used to determine zone and/or name_in_zone field for records. | keyword | -| infoblox_bloxone_ddi.dns_data.absolute_zone.name | The absolute domain name of the zone where this record belongs. | keyword | -| infoblox_bloxone_ddi.dns_data.comment | The description for the DNS resource record. May contain 0 to 1024 characters. Can include UTF-8. | keyword | -| infoblox_bloxone_ddi.dns_data.created_at | The timestamp when the object has been created. | date | -| infoblox_bloxone_ddi.dns_data.delegation | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_data.disabled | Indicates if the DNS resource record is disabled. A disabled object is effectively non-existent when generating configuration. | boolean | -| infoblox_bloxone_ddi.dns_data.id | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_data.name_in.zone | The DNS protocol textual representation of the relative owner name for the DNS zone. | keyword | -| infoblox_bloxone_ddi.dns_data.name_in_zone | The relative owner name to the zone origin. Must be specified for creating the DNS resource record and is read only for other operations. | keyword | -| infoblox_bloxone_ddi.dns_data.options.address | For GET operation it contains the IPv4 or IPv6 address represented by the PTR record and for POST and PATCH operations it can be used to create/update a PTR record based on the IP address it represents. In this case, in addition to the address in the options field, need to specify the view field. | ip | -| infoblox_bloxone_ddi.dns_data.options.check_rmz | A boolean flag which can be set to true for POST operation to check the existence of reverse zone for creating the corresponding PTR record. Only applicable if the create_ptr option is set to true. | boolean | -| infoblox_bloxone_ddi.dns_data.options.create_ptr | A boolean flag which can be set to true for POST operation to automatically create the corresponding PTR record. | boolean | -| infoblox_bloxone_ddi.dns_data.provider_metadata | external DNS provider metadata. | flattened | -| infoblox_bloxone_ddi.dns_data.rdata.address | The IPv4/IPv6 address of the host. | ip | -| infoblox_bloxone_ddi.dns_data.rdata.cname | A domain name which specifies the canonical or primary name for the owner. The owner name is an alias. Can be empty. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.dhcid | The Base64 encoded string which contains DHCP client information. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.dname | A domain-name which specifies a host which should be authoritative for the specified class and domain. Can be absolute or relative domain name and include UTF-8. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.exchange | A domain name which specifies a host willing to act as a mail exchange for the owner name. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.expire | The time interval in seconds after which zone data will expire and secondary server stops answering requests for the zone. | long | -| infoblox_bloxone_ddi.dns_data.rdata.flags | An unsigned 8-bit integer which specifies the CAA record flags. RFC 6844 defines one (highest) bit in flag octet, remaining bits are deferred for future use. This bit is referenced as Critical. When the bit is set (flag value == 128), issuers must not issue certificates in case CAA records contain unknown property tags. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.length_kind | A string indicating the size in bits of a sub-subfield that is prepended to the value and encodes the length of the value. | long | -| infoblox_bloxone_ddi.dns_data.rdata.mname | The domain name for the master server for the zone. Can be absolute or relative domain name. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.negative_ttl | The time interval in seconds for which name servers can cache negative responses for zone. | long | -| infoblox_bloxone_ddi.dns_data.rdata.order | A 16-bit unsigned integer specifying the order in which the NAPTR records must be processed. Low numbers are processed before high numbers, and once a NAPTR is found whose rule “matches” the target, the client must not consider any NAPTRs with a higher value for order (except as noted below for the “flags” field. The range of the value is 0 to 65535. | long | -| infoblox_bloxone_ddi.dns_data.rdata.port | An unsigned 16-bit integer which specifies the port on this target host of this service. The range of the value is 0 to 65535. This is often as specified in Assigned Numbers but need not be. | long | -| infoblox_bloxone_ddi.dns_data.rdata.preference | An unsigned 16-bit integer which specifies the preference given to this RR among others at the same owner. Lower values are preferred. The range of the value is 0 to 65535. | long | -| infoblox_bloxone_ddi.dns_data.rdata.priority | An unsigned 16-bit integer which specifies the priority of this target host. The range of the value is 0 to 65535. A client must attempt to contact the target host with the lowest-numbered priority it can reach. Target hosts with the same priority should be tried in an order defined by the weight field. | long | -| infoblox_bloxone_ddi.dns_data.rdata.refresh | The time interval in seconds that specifies how often secondary servers need to send a message to the primary server for a zone to check that their data is current, and retrieve fresh data if it is not. | long | -| infoblox_bloxone_ddi.dns_data.rdata.regexp | A string containing a substitution expression that is applied to the original string held by the client in order to construct the next domain name to lookup. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.replacement | The next name to query for NAPTR, SRV, or address records depending on the value of the flags field. This can be an absolute or relative domain name. Can be empty. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.retry | The time interval in seconds for which the secondary server will wait before attempting to recontact the primary server after a connection failure occurs. | long | -| infoblox_bloxone_ddi.dns_data.rdata.rname | The domain name which specifies the mailbox of the person responsible for this zone. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.serial | An unsigned 32-bit integer that specifies the serial number of the zone. Used to indicate that zone data was updated, so the secondary name server can initiate zone transfer. The range of the value is 0 to 4294967295. | long | -| infoblox_bloxone_ddi.dns_data.rdata.services | Specifies the service(s) available down this rewrite path. It may also specify the particular protocol that is used to talk with a service. A protocol must be specified if the flags field states that the NAPTR is terminal. If a protocol is specified, but the flags field does not state that the NAPTR is terminal, the next lookup must be for a NAPTR. The client may choose not to perform the next lookup if the protocol is unknown, but that behavior must not be relied upon. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.tag | The CAA record property tag string which indicates the type of CAA record. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.target | The target domain name to which the zone will be mapped. Can be empty. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.text | The semantics of the text depends on the domain where it is found. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.type | Type of TXT (Text) record. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.value | A string which contains the CAA record property value. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.weight | An unsigned 16-bit integer which specifies a relative weight for entries with the same priority. The range of the value is 0 to 65535. Larger weights should be given a proportionately higher probability of being selected. Domain administrators should use weight 0 when there isn’t any server selection to do, to make the RR easier to read for humans (less noisy). In the presence of records containing weights greater than 0, records with weight 0 should have a very small chance of being selected. | long | -| infoblox_bloxone_ddi.dns_data.rdata_value | The DNS protocol textual representation of the DNS resource record data. | keyword | -| infoblox_bloxone_ddi.dns_data.source | The DNS resource record type-specific non-protocol source. The source is a combination of indicators, each tracking how the DNS resource record appeared in system. | keyword | -| infoblox_bloxone_ddi.dns_data.tags | The tags for the DNS resource record in JSON format. | flattened | -| infoblox_bloxone_ddi.dns_data.ttl | The record time to live value in seconds. The range of this value is 0 to 2147483647. Defaults to TTL value from the SOA record of the zone. | long | -| infoblox_bloxone_ddi.dns_data.type | The DNS resource record type specified in the textual mnemonic format or in the “TYPEnnn” format where “nnn” indicates the numeric type value. | keyword | -| infoblox_bloxone_ddi.dns_data.updated_at | The timestamp when the object has been updated. Equals to created_at if not updated after creation. | date | -| infoblox_bloxone_ddi.dns_data.view | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_data.view_name | The display name of the DNS view that contains the parent zone of the DNS resource record. | keyword | -| infoblox_bloxone_ddi.dns_data.zone | The resource identifier. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | - diff --git a/packages/infoblox_bloxone_ddi/0.1.1/img/infoblox-bloxone-ddi-logo.svg b/packages/infoblox_bloxone_ddi/0.1.1/img/infoblox-bloxone-ddi-logo.svg deleted file mode 100755 index 57b4d23b16..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/img/infoblox-bloxone-ddi-logo.svg +++ /dev/null @@ -1,93 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/infoblox_bloxone_ddi/0.1.1/img/infoblox-bloxone-ddi-screenshot.png b/packages/infoblox_bloxone_ddi/0.1.1/img/infoblox-bloxone-ddi-screenshot.png deleted file mode 100755 index 4a1e34f087..0000000000 Binary files a/packages/infoblox_bloxone_ddi/0.1.1/img/infoblox-bloxone-ddi-screenshot.png and /dev/null differ diff --git a/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-85daef90-0ce7-11ed-8a96-d11b53f3d359.json b/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-85daef90-0ce7-11ed-8a96-d11b53f3d359.json deleted file mode 100755 index b153b8b77e..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-85daef90-0ce7-11ed-8a96-d11b53f3d359.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "Overview of Infoblox BloxOne DDI DHCP Lease.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f39755d-9919-4b22-baf7-aaef264be212\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f39755d-9919-4b22-baf7-aaef264be212\":{\"columnOrder\":[\"bd2479de-d037-4d8c-9ef2-4721ffd44bec\",\"cf1300db-9b2d-425b-8402-adabebe05f79\"],\"columns\":{\"bd2479de-d037-4d8c-9ef2-4721ffd44bec\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"cf1300db-9b2d-425b-8402-adabebe05f79\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"network.type\"},\"cf1300db-9b2d-425b-8402-adabebe05f79\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"cf1300db-9b2d-425b-8402-adabebe05f79\"],\"layerId\":\"0f39755d-9919-4b22-baf7-aaef264be212\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"bd2479de-d037-4d8c-9ef2-4721ffd44bec\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"787837bf-ae0a-4079-a028-2e31a1e3774e\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"787837bf-ae0a-4079-a028-2e31a1e3774e\",\"title\":\"Distribution of Events by Protocol [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c6f049f-acb4-4fcb-a794-5bc75829aa4c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c6f049f-acb4-4fcb-a794-5bc75829aa4c\":{\"columnOrder\":[\"5575e5c2-6223-4317-9a33-5370ed22f610\",\"139ac0cd-8d04-4adb-946d-f59d28818ad8\"],\"columns\":{\"139ac0cd-8d04-4adb-946d-f59d28818ad8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5575e5c2-6223-4317-9a33-5370ed22f610\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Host Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"139ac0cd-8d04-4adb-946d-f59d28818ad8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"5575e5c2-6223-4317-9a33-5370ed22f610\",\"isTransposed\":false},{\"columnId\":\"139ac0cd-8d04-4adb-946d-f59d28818ad8\",\"isTransposed\":false}],\"layerId\":\"6c6f049f-acb4-4fcb-a794-5bc75829aa4c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"96e5e038-7865-4a0a-bdd3-8b915c7be91b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"96e5e038-7865-4a0a-bdd3-8b915c7be91b\",\"title\":\"Top 10 Host Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-19f9c3d5-3fd4-4142-92e2-1b3c57af397a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"19f9c3d5-3fd4-4142-92e2-1b3c57af397a\":{\"columnOrder\":[\"f1f10540-9928-411e-afd6-9deed825c323\",\"17c881a1-b60e-430e-9836-de551602c8c3\"],\"columns\":{\"17c881a1-b60e-430e-9836-de551602c8c3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f1f10540-9928-411e-afd6-9deed825c323\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"17c881a1-b60e-430e-9836-de551602c8c3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dhcp_lease.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"f1f10540-9928-411e-afd6-9deed825c323\"],\"layerId\":\"19f9c3d5-3fd4-4142-92e2-1b3c57af397a\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"17c881a1-b60e-430e-9836-de551602c8c3\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9baea1e0-7803-4bbe-b4e2-ed03e1589afa\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"9baea1e0-7803-4bbe-b4e2-ed03e1589afa\",\"title\":\"Distribution of Events by Type [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e0e5694c-e3bb-4186-9f26-7e734c94ad83\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e0e5694c-e3bb-4186-9f26-7e734c94ad83\":{\"columnOrder\":[\"bfb244af-5bbc-4f29-a50b-6d4bbabc1fcb\",\"a7b437d6-9d78-4392-980b-a8548cb5ac20\"],\"columns\":{\"a7b437d6-9d78-4392-980b-a8548cb5ac20\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bfb244af-5bbc-4f29-a50b-6d4bbabc1fcb\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Host\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a7b437d6-9d78-4392-980b-a8548cb5ac20\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"bfb244af-5bbc-4f29-a50b-6d4bbabc1fcb\"],\"layerId\":\"e0e5694c-e3bb-4186-9f26-7e734c94ad83\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a7b437d6-9d78-4392-980b-a8548cb5ac20\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d9edc7fd-4587-4423-9f62-bb383b52ef28\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"d9edc7fd-4587-4423-9f62-bb383b52ef28\",\"title\":\"Distribution of Events by Host [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4f508d4b-b035-447c-98ea-d2072e82dd85\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4f508d4b-b035-447c-98ea-d2072e82dd85\":{\"columnOrder\":[\"69cf7012-abd8-47f8-852b-21721be5b14e\",\"6e50bc10-f378-4b90-a523-b34082257272\"],\"columns\":{\"69cf7012-abd8-47f8-852b-21721be5b14e\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"State\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6e50bc10-f378-4b90-a523-b34082257272\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dhcp_lease.state\"},\"6e50bc10-f378-4b90-a523-b34082257272\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"6e50bc10-f378-4b90-a523-b34082257272\"],\"layerId\":\"4f508d4b-b035-447c-98ea-d2072e82dd85\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"69cf7012-abd8-47f8-852b-21721be5b14e\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"68968f24-d04d-4f57-a575-4a82672e67eb\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"68968f24-d04d-4f57-a575-4a82672e67eb\",\"title\":\"Distribution of Events by State [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox BloxOne DDI] DHCP Lease", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_bloxone_ddi-85daef90-0ce7-11ed-8a96-d11b53f3d359", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "787837bf-ae0a-4079-a028-2e31a1e3774e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "787837bf-ae0a-4079-a028-2e31a1e3774e:indexpattern-datasource-layer-0f39755d-9919-4b22-baf7-aaef264be212", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96e5e038-7865-4a0a-bdd3-8b915c7be91b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96e5e038-7865-4a0a-bdd3-8b915c7be91b:indexpattern-datasource-layer-6c6f049f-acb4-4fcb-a794-5bc75829aa4c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9baea1e0-7803-4bbe-b4e2-ed03e1589afa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9baea1e0-7803-4bbe-b4e2-ed03e1589afa:indexpattern-datasource-layer-19f9c3d5-3fd4-4142-92e2-1b3c57af397a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d9edc7fd-4587-4423-9f62-bb383b52ef28:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d9edc7fd-4587-4423-9f62-bb383b52ef28:indexpattern-datasource-layer-e0e5694c-e3bb-4186-9f26-7e734c94ad83", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "68968f24-d04d-4f57-a575-4a82672e67eb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "68968f24-d04d-4f57-a575-4a82672e67eb:indexpattern-datasource-layer-4f508d4b-b035-447c-98ea-d2072e82dd85", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-b8497140-0cdd-11ed-8a96-d11b53f3d359.json b/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-b8497140-0cdd-11ed-8a96-d11b53f3d359.json deleted file mode 100755 index ec3a938133..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-b8497140-0cdd-11ed-8a96-d11b53f3d359.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "description": "Overview of Infoblox BloxOne DDI DNS Data.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-492dce9b-ecc9-466a-ad17-c801a56b2578\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"492dce9b-ecc9-466a-ad17-c801a56b2578\":{\"columnOrder\":[\"f5b2adb7-c7f0-47d1-afef-cffbe74cbed3\",\"44d341d2-7182-4c93-9788-8975ce86921c\"],\"columns\":{\"44d341d2-7182-4c93-9788-8975ce86921c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f5b2adb7-c7f0-47d1-afef-cffbe74cbed3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"TTL Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"44d341d2-7182-4c93-9788-8975ce86921c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"44d341d2-7182-4c93-9788-8975ce86921c\"],\"layerId\":\"492dce9b-ecc9-466a-ad17-c801a56b2578\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"f5b2adb7-c7f0-47d1-afef-cffbe74cbed3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d0d0f6b9-d632-47de-bcc6-54bce4e679f2\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"d0d0f6b9-d632-47de-bcc6-54bce4e679f2\",\"title\":\"Distribution of Events by TTL Action [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4948d9b6-bab5-48f2-a031-46e87a884637\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4948d9b6-bab5-48f2-a031-46e87a884637\":{\"columnOrder\":[\"eb2e31f6-4e2c-4eaf-8120-fa19e2db7008\",\"95ff9931-dc16-4e1d-87b5-44a5afdb1b4f\"],\"columns\":{\"95ff9931-dc16-4e1d-87b5-44a5afdb1b4f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"eb2e31f6-4e2c-4eaf-8120-fa19e2db7008\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"TTL Source Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95ff9931-dc16-4e1d-87b5-44a5afdb1b4f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.source\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"eb2e31f6-4e2c-4eaf-8120-fa19e2db7008\",\"isTransposed\":false},{\"columnId\":\"95ff9931-dc16-4e1d-87b5-44a5afdb1b4f\",\"isTransposed\":false}],\"layerId\":\"4948d9b6-bab5-48f2-a031-46e87a884637\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7eb4f1b6-29ea-45f9-bab5-a0343594726b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"7eb4f1b6-29ea-45f9-bab5-a0343594726b\",\"title\":\"Top 10 TTL Source Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c0b7ca44-dfc2-4e69-9fdf-a67439d1b290\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c0b7ca44-dfc2-4e69-9fdf-a67439d1b290\":{\"columnOrder\":[\"af4e6514-1ab8-4963-994e-f25bee46936b\",\"83233299-085a-4f13-8916-0f254e2fbb7a\"],\"columns\":{\"83233299-085a-4f13-8916-0f254e2fbb7a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"af4e6514-1ab8-4963-994e-f25bee46936b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"DNS Absolute Zone Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"83233299-085a-4f13-8916-0f254e2fbb7a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.absolute.zone.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"af4e6514-1ab8-4963-994e-f25bee46936b\"],\"layerId\":\"c0b7ca44-dfc2-4e69-9fdf-a67439d1b290\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"83233299-085a-4f13-8916-0f254e2fbb7a\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a8079745-b78b-4daa-bb29-638e498e4c96\",\"w\":17,\"x\":0,\"y\":15},\"panelIndex\":\"a8079745-b78b-4daa-bb29-638e498e4c96\",\"title\":\"Distribution of Events by DNS Absolute Zone Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-040c65c3-7b12-43b0-bfa5-e2c535634de6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"040c65c3-7b12-43b0-bfa5-e2c535634de6\":{\"columnOrder\":[\"232a8505-70be-447c-9286-218aeaabddc7\",\"ec8a44d6-1b97-4077-9e93-986973e7acff\"],\"columns\":{\"232a8505-70be-447c-9286-218aeaabddc7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec8a44d6-1b97-4077-9e93-986973e7acff\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.type\"},\"ec8a44d6-1b97-4077-9e93-986973e7acff\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"232a8505-70be-447c-9286-218aeaabddc7\"],\"layerId\":\"040c65c3-7b12-43b0-bfa5-e2c535634de6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ec8a44d6-1b97-4077-9e93-986973e7acff\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fecabbc6-727d-4798-8eaa-f5f553a53d47\",\"w\":16,\"x\":17,\"y\":15},\"panelIndex\":\"fecabbc6-727d-4798-8eaa-f5f553a53d47\",\"title\":\"Distribution of Events by Type [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7db7df97-c91b-417a-a146-72c6f2ac8d91\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7db7df97-c91b-417a-a146-72c6f2ac8d91\":{\"columnOrder\":[\"5a0c5a1b-a645-4579-a7b4-d24d4d128175\",\"e1bea059-147f-4dea-a55f-f3d1a5f41e2e\"],\"columns\":{\"5a0c5a1b-a645-4579-a7b4-d24d4d128175\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"View Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e1bea059-147f-4dea-a55f-f3d1a5f41e2e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.view_name\"},\"e1bea059-147f-4dea-a55f-f3d1a5f41e2e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"5a0c5a1b-a645-4579-a7b4-d24d4d128175\"],\"layerId\":\"7db7df97-c91b-417a-a146-72c6f2ac8d91\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e1bea059-147f-4dea-a55f-f3d1a5f41e2e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"63226a08-6f74-4817-9a08-21d93d3dc00f\",\"w\":15,\"x\":33,\"y\":15},\"panelIndex\":\"63226a08-6f74-4817-9a08-21d93d3dc00f\",\"title\":\"Distribution of Events by View Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6b9c902-06c7-4274-8831-8fab7e860319\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6b9c902-06c7-4274-8831-8fab7e860319\":{\"columnOrder\":[\"1189fdd0-3651-47cd-9943-46668da81407\",\"834d4e0a-e326-430e-ba1c-b21b409e11ce\"],\"columns\":{\"1189fdd0-3651-47cd-9943-46668da81407\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Host Address\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"834d4e0a-e326-430e-ba1c-b21b409e11ce\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.rdata.address\"},\"834d4e0a-e326-430e-ba1c-b21b409e11ce\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"1189fdd0-3651-47cd-9943-46668da81407\",\"isTransposed\":false},{\"columnId\":\"834d4e0a-e326-430e-ba1c-b21b409e11ce\",\"isTransposed\":false}],\"layerId\":\"a6b9c902-06c7-4274-8831-8fab7e860319\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8f0234c4-f3f1-48c8-8f43-4731cd958b70\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"8f0234c4-f3f1-48c8-8f43-4731cd958b70\",\"title\":\"Top 10 Host Address [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1cb8734b-97ec-4693-916c-950178d12555\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1cb8734b-97ec-4693-916c-950178d12555\":{\"columnOrder\":[\"9a412a97-ba89-4765-8f22-0413ec2db942\",\"5324359a-19f9-4039-be9b-2817abe8d788\"],\"columns\":{\"5324359a-19f9-4039-be9b-2817abe8d788\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9a412a97-ba89-4765-8f22-0413ec2db942\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Resource Record Value\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5324359a-19f9-4039-be9b-2817abe8d788\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.rdata.value\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9a412a97-ba89-4765-8f22-0413ec2db942\"],\"layerId\":\"1cb8734b-97ec-4693-916c-950178d12555\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5324359a-19f9-4039-be9b-2817abe8d788\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a549ae88-b384-4a37-bbe9-8d5fd54f1a2b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"a549ae88-b384-4a37-bbe9-8d5fd54f1a2b\",\"title\":\"Distribution of Events by Resource Record Value [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-42c0d34a-142e-4761-8619-137862ca3e49\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"42c0d34a-142e-4761-8619-137862ca3e49\":{\"columnOrder\":[\"e47e7765-58a0-4694-ba84-1c973f735455\",\"df2daecc-3bde-4973-99c2-052ae6346963\"],\"columns\":{\"df2daecc-3bde-4973-99c2-052ae6346963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e47e7765-58a0-4694-ba84-1c973f735455\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Canonical Owner Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df2daecc-3bde-4973-99c2-052ae6346963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.rdata.cname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"df2daecc-3bde-4973-99c2-052ae6346963\"],\"layerId\":\"42c0d34a-142e-4761-8619-137862ca3e49\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"e47e7765-58a0-4694-ba84-1c973f735455\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab1a9322-c074-44d4-a12c-d6b4d394b8fd\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"ab1a9322-c074-44d4-a12c-d6b4d394b8fd\",\"title\":\"Distribution of Events by Canonical Owner Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9011083b-774e-4cc5-a099-ac6130fce672\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9011083b-774e-4cc5-a099-ac6130fce672\":{\"columnOrder\":[\"b9a3ffe3-6c09-4a3f-bcb8-cff54b24a9b1\",\"27a04a1c-883b-4514-bf1d-0f51885ed8f6\"],\"columns\":{\"27a04a1c-883b-4514-bf1d-0f51885ed8f6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b9a3ffe3-6c09-4a3f-bcb8-cff54b24a9b1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Resource Record Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"27a04a1c-883b-4514-bf1d-0f51885ed8f6\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.rdata.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b9a3ffe3-6c09-4a3f-bcb8-cff54b24a9b1\"],\"layerId\":\"9011083b-774e-4cc5-a099-ac6130fce672\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"27a04a1c-883b-4514-bf1d-0f51885ed8f6\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"00a91cfd-1761-4308-8443-b2a2208c8630\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"00a91cfd-1761-4308-8443-b2a2208c8630\",\"title\":\"Distribution of Events by Resource Record Type [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox BloxOne DDI] DNS Data", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_bloxone_ddi-b8497140-0cdd-11ed-8a96-d11b53f3d359", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "d0d0f6b9-d632-47de-bcc6-54bce4e679f2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d0f6b9-d632-47de-bcc6-54bce4e679f2:indexpattern-datasource-layer-492dce9b-ecc9-466a-ad17-c801a56b2578", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7eb4f1b6-29ea-45f9-bab5-a0343594726b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7eb4f1b6-29ea-45f9-bab5-a0343594726b:indexpattern-datasource-layer-4948d9b6-bab5-48f2-a031-46e87a884637", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8079745-b78b-4daa-bb29-638e498e4c96:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8079745-b78b-4daa-bb29-638e498e4c96:indexpattern-datasource-layer-c0b7ca44-dfc2-4e69-9fdf-a67439d1b290", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fecabbc6-727d-4798-8eaa-f5f553a53d47:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fecabbc6-727d-4798-8eaa-f5f553a53d47:indexpattern-datasource-layer-040c65c3-7b12-43b0-bfa5-e2c535634de6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63226a08-6f74-4817-9a08-21d93d3dc00f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63226a08-6f74-4817-9a08-21d93d3dc00f:indexpattern-datasource-layer-7db7df97-c91b-417a-a146-72c6f2ac8d91", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8f0234c4-f3f1-48c8-8f43-4731cd958b70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8f0234c4-f3f1-48c8-8f43-4731cd958b70:indexpattern-datasource-layer-a6b9c902-06c7-4274-8831-8fab7e860319", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a549ae88-b384-4a37-bbe9-8d5fd54f1a2b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a549ae88-b384-4a37-bbe9-8d5fd54f1a2b:indexpattern-datasource-layer-1cb8734b-97ec-4693-916c-950178d12555", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab1a9322-c074-44d4-a12c-d6b4d394b8fd:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab1a9322-c074-44d4-a12c-d6b4d394b8fd:indexpattern-datasource-layer-42c0d34a-142e-4761-8619-137862ca3e49", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "00a91cfd-1761-4308-8443-b2a2208c8630:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "00a91cfd-1761-4308-8443-b2a2208c8630:indexpattern-datasource-layer-9011083b-774e-4cc5-a099-ac6130fce672", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-d3f8a270-0ce3-11ed-8a96-d11b53f3d359.json b/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-d3f8a270-0ce3-11ed-8a96-d11b53f3d359.json deleted file mode 100755 index 0ee79b258d..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/kibana/dashboard/infoblox_bloxone_ddi-d3f8a270-0ce3-11ed-8a96-d11b53f3d359.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Overview of Infoblox BloxOne DDI DNS Config.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cba386eb-2f07-4c35-9a1c-57937a5d37db\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cba386eb-2f07-4c35-9a1c-57937a5d37db\":{\"columnOrder\":[\"46922848-22a1-4583-add0-66c83d05e7fc\",\"436c97a5-6d6f-4d61-b698-061ed8d1ca6c\"],\"columns\":{\"436c97a5-6d6f-4d61-b698-061ed8d1ca6c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"46922848-22a1-4583-add0-66c83d05e7fc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Custom Root Name Server FQDN\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"436c97a5-6d6f-4d61-b698-061ed8d1ca6c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.custom_root_ns.fqdn\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"46922848-22a1-4583-add0-66c83d05e7fc\",\"isTransposed\":false},{\"columnId\":\"436c97a5-6d6f-4d61-b698-061ed8d1ca6c\",\"isTransposed\":false}],\"layerId\":\"cba386eb-2f07-4c35-9a1c-57937a5d37db\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8a5670b8-9772-40e6-adc9-743fddfcb93a\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8a5670b8-9772-40e6-adc9-743fddfcb93a\",\"title\":\"Top 10 Custom Root Name Server FQDN [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49c44c59-cb39-48ca-8c38-6d604857fae7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49c44c59-cb39-48ca-8c38-6d604857fae7\":{\"columnOrder\":[\"6945ac46-ff4f-4d1c-9314-1e8ddbf0d3a6\",\"707209ce-b61a-4765-9303-530ed1a26b33\"],\"columns\":{\"6945ac46-ff4f-4d1c-9314-1e8ddbf0d3a6\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Outgoing Query Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"707209ce-b61a-4765-9303-530ed1a26b33\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.action\"},\"707209ce-b61a-4765-9303-530ed1a26b33\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"6945ac46-ff4f-4d1c-9314-1e8ddbf0d3a6\"],\"layerId\":\"49c44c59-cb39-48ca-8c38-6d604857fae7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"707209ce-b61a-4765-9303-530ed1a26b33\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9367e11d-a6ff-4e4d-8c91-ab8c3aa3bd28\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9367e11d-a6ff-4e4d-8c91-ab8c3aa3bd28\",\"title\":\"Distribution of Events by Outgoing Query Action [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dd5c94ed-e107-49e3-ab06-d9cb924653ed\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dd5c94ed-e107-49e3-ab06-d9cb924653ed\":{\"columnOrder\":[\"cc7b0f96-eddc-4c03-84fc-3d4d28167d63\",\"4443908b-190a-4856-8b66-69db9199df32\"],\"columns\":{\"4443908b-190a-4856-8b66-69db9199df32\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cc7b0f96-eddc-4c03-84fc-3d4d28167d63\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ECS Block Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4443908b-190a-4856-8b66-69db9199df32\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"4443908b-190a-4856-8b66-69db9199df32\"],\"layerId\":\"dd5c94ed-e107-49e3-ab06-d9cb924653ed\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cc7b0f96-eddc-4c03-84fc-3d4d28167d63\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6f2c59a-ce94-4356-98af-91e7bc6cceed\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"d6f2c59a-ce94-4356-98af-91e7bc6cceed\",\"title\":\"Distribution of Events by ECS Block Action [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Custom Root Name Server Address\",\"field\":\"infoblox_bloxone_ddi.dns_config.custom_root_ns.address\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9d6f4983-8608-429b-95e7-56117041b778\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"9d6f4983-8608-429b-95e7-56117041b778\",\"title\":\"Top Custom Root Name Server Address [Logs Infoblox BloxOne DDI]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-eb849a44-0dfe-427d-99dd-be95e3050965\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"eb849a44-0dfe-427d-99dd-be95e3050965\":{\"columnOrder\":[\"90e03992-a3cd-4c07-952b-f5332cd81db4\",\"a499cd19-0ca6-4886-aac6-99bcd5e61153\"],\"columns\":{\"90e03992-a3cd-4c07-952b-f5332cd81db4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ECS Zone Access\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a499cd19-0ca6-4886-aac6-99bcd5e61153\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.ecs.zones.access\"},\"a499cd19-0ca6-4886-aac6-99bcd5e61153\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"a499cd19-0ca6-4886-aac6-99bcd5e61153\"],\"layerId\":\"eb849a44-0dfe-427d-99dd-be95e3050965\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"90e03992-a3cd-4c07-952b-f5332cd81db4\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f6643ae2-2e62-46ae-a200-5012ac25de36\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"f6643ae2-2e62-46ae-a200-5012ac25de36\",\"title\":\"Distribution of Events by ECS Zone Access [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6b2013f5-e5d1-45e6-8760-439e960800f3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6b2013f5-e5d1-45e6-8760-439e960800f3\":{\"columnOrder\":[\"bed778ca-a359-43be-ad4c-5e32e7ba22d8\",\"6121b332-c55b-4b89-b3d3-45dbd76c1cfe\"],\"columns\":{\"6121b332-c55b-4b89-b3d3-45dbd76c1cfe\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bed778ca-a359-43be-ad4c-5e32e7ba22d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Outgoing Query Source\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6121b332-c55b-4b89-b3d3-45dbd76c1cfe\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.source\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"bed778ca-a359-43be-ad4c-5e32e7ba22d8\",\"isTransposed\":false},{\"columnId\":\"6121b332-c55b-4b89-b3d3-45dbd76c1cfe\",\"isTransposed\":false}],\"layerId\":\"6b2013f5-e5d1-45e6-8760-439e960800f3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3ef011d9-9870-4357-bf7b-8b4baa0ae570\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3ef011d9-9870-4357-bf7b-8b4baa0ae570\",\"title\":\"Top 10 Outgoing Query Source [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4f221e65-f5b8-446f-90d3-a05571f889ed\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4f221e65-f5b8-446f-90d3-a05571f889ed\":{\"columnOrder\":[\"8235e883-949c-4216-ba74-cd53c5ad3b41\",\"33c6bac1-bfb5-4b6c-a4e5-e85a5193621c\"],\"columns\":{\"33c6bac1-bfb5-4b6c-a4e5-e85a5193621c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8235e883-949c-4216-ba74-cd53c5ad3b41\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Protocol Mname\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"33c6bac1-bfb5-4b6c-a4e5-e85a5193621c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.zone_authority.protocol.mname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"8235e883-949c-4216-ba74-cd53c5ad3b41\"],\"layerId\":\"4f221e65-f5b8-446f-90d3-a05571f889ed\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"33c6bac1-bfb5-4b6c-a4e5-e85a5193621c\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2f7542b5-9c17-4e1c-944d-3820afa497ce\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"2f7542b5-9c17-4e1c-944d-3820afa497ce\",\"title\":\"Distribution of Events by Zone Authority Master Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ca4bfffe-6a9f-413a-869c-58d1646363f2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ca4bfffe-6a9f-413a-869c-58d1646363f2\":{\"columnOrder\":[\"f15cb334-4cde-4a69-ac70-14739f098e98\",\"5f223db3-7560-49ec-a024-7266360e5e5f\"],\"columns\":{\"5f223db3-7560-49ec-a024-7266360e5e5f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f15cb334-4cde-4a69-ac70-14739f098e98\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Default TTL Source\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5f223db3-7560-49ec-a024-7266360e5e5f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.source\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"f15cb334-4cde-4a69-ac70-14739f098e98\"],\"layerId\":\"ca4bfffe-6a9f-413a-869c-58d1646363f2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5f223db3-7560-49ec-a024-7266360e5e5f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2c27ed27-b814-4462-bd64-e99cd0d4f363\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"2c27ed27-b814-4462-bd64-e99cd0d4f363\",\"title\":\"Distribution of Events by Default TTL source [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"f288d1dd-c4dc-472c-a7ac-6c5173b348a1\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"f288d1dd-c4dc-472c-a7ac-6c5173b348a1\",\"panelRefName\":\"panel_f288d1dd-c4dc-472c-a7ac-6c5173b348a1\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox BloxOne DDI] DNS Config", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_bloxone_ddi-d3f8a270-0ce3-11ed-8a96-d11b53f3d359", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "8a5670b8-9772-40e6-adc9-743fddfcb93a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8a5670b8-9772-40e6-adc9-743fddfcb93a:indexpattern-datasource-layer-cba386eb-2f07-4c35-9a1c-57937a5d37db", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9367e11d-a6ff-4e4d-8c91-ab8c3aa3bd28:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9367e11d-a6ff-4e4d-8c91-ab8c3aa3bd28:indexpattern-datasource-layer-49c44c59-cb39-48ca-8c38-6d604857fae7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6f2c59a-ce94-4356-98af-91e7bc6cceed:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6f2c59a-ce94-4356-98af-91e7bc6cceed:indexpattern-datasource-layer-dd5c94ed-e107-49e3-ab06-d9cb924653ed", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d6f4983-8608-429b-95e7-56117041b778:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6643ae2-2e62-46ae-a200-5012ac25de36:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6643ae2-2e62-46ae-a200-5012ac25de36:indexpattern-datasource-layer-eb849a44-0dfe-427d-99dd-be95e3050965", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ef011d9-9870-4357-bf7b-8b4baa0ae570:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ef011d9-9870-4357-bf7b-8b4baa0ae570:indexpattern-datasource-layer-6b2013f5-e5d1-45e6-8760-439e960800f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2f7542b5-9c17-4e1c-944d-3820afa497ce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2f7542b5-9c17-4e1c-944d-3820afa497ce:indexpattern-datasource-layer-4f221e65-f5b8-446f-90d3-a05571f889ed", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2c27ed27-b814-4462-bd64-e99cd0d4f363:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2c27ed27-b814-4462-bd64-e99cd0d4f363:indexpattern-datasource-layer-ca4bfffe-6a9f-413a-869c-58d1646363f2", - "type": "index-pattern" - }, - { - "id": "infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe", - "name": "f288d1dd-c4dc-472c-a7ac-6c5173b348a1:panel_f288d1dd-c4dc-472c-a7ac-6c5173b348a1", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.1/kibana/search/infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe.json b/packages/infoblox_bloxone_ddi/0.1.1/kibana/search/infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe.json deleted file mode 100755 index 2acf2927b1..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/kibana/search/infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "infoblox_bloxone_ddi.dns_config.dnssec.root_keys.protocol.zone", - "infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.protocol.zone", - "infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.protocol.zone" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "DNS Config Events by Protocol Zone [Logs Infoblox BloxOne DDI]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.1/manifest.yml b/packages/infoblox_bloxone_ddi/0.1.1/manifest.yml deleted file mode 100755 index 5c79257731..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.1/manifest.yml +++ /dev/null @@ -1,83 +0,0 @@ -format_version: 1.0.0 -name: infoblox_bloxone_ddi -title: Infoblox BloxOne DDI -version: '0.1.1' -license: basic -description: Collect logs from Infoblox BloxOne DDI with Elastic Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/infoblox-bloxone-ddi-screenshot.png - title: Infoblox BloxOne DDI dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/infoblox-bloxone-ddi-logo.svg - title: Infoblox BloxOne DDI logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: infoblox_bloxone_ddi - title: Infoblox BloxOne DDI - description: Collect logs from Infoblox BloxOne DDI. - inputs: - - type: httpjson - title: Collect Infoblox BloxOne DDI logs via API - description: Collecting Infoblox BloxOne DDI logs via API. - vars: - - name: url - type: text - title: URL - description: Infoblox BloxOne DDI URL. - multi: false - required: true - show_user: true - default: https://csp.infoblox.com - - name: api_key - type: password - title: API Key - description: API Key. - multi: false - required: true - show_user: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations diff --git a/packages/lastpass/0.1.0/LICENSE.txt b/packages/lastpass/0.1.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/lastpass/0.1.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/lastpass/0.1.0/changelog.yml b/packages/lastpass/0.1.0/changelog.yml deleted file mode 100755 index ccba43f365..0000000000 --- a/packages/lastpass/0.1.0/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: '0.1.0' - changes: - - description: Initial Release. - type: enhancement - link: https://github.com/elastic/integrations/pull/1 diff --git a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/agent/stream/httpjson.yml.hbs b/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 7d68e1b871..0000000000 --- a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,56 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.url: {{url}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: body.cid - value: '{{account_number}}' - - set: - target: body.provhash - value: '{{provisioning_hash}}' - - set: - target: body.cmd - value: 'getdetailedsfdata' - - set: - target: body.data - value: 'all' -response.transforms: - - set: - target: body.data - value: '[[.last_response.body]]' - value_type: json -response.split: - target: body.data - type: map - keep_parent: false - key_field: id - split: - target: body.users - keep_parent: true -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/elasticsearch/ingest_pipeline/default.yml b/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 54ad9feb03..0000000000 --- a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,141 +0,0 @@ ---- -description: Pipeline for processing Detailed Shared Folder logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.type - value: [info] - - set: - field: event.kind - value: state - - rename: - field: json.sharedfoldername - target_field: lastpass.detailed_shared_folder.name - ignore_missing: true - - convert: - field: json.deleted - target_field: lastpass.detailed_shared_folder.deleted - if: ctx.json?.deleted != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - - convert: - field: json.score - target_field: lastpass.detailed_shared_folder.score - if: ctx.json?.score != '' - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - - rename: - field: json.id - target_field: lastpass.detailed_shared_folder.shared_folder.id - ignore_missing: true - - rename: - field: json.users.username - target_field: lastpass.detailed_shared_folder.user.name - ignore_missing: true - - set: - field: user.email - copy_from: lastpass.detailed_shared_folder.user.name - ignore_failure: true - - convert: - field: json.users.superadmin - target_field: lastpass.detailed_shared_folder.user.super_admin - if: ctx.json?.users?.superadmin != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - - convert: - field: json.users.readonly - target_field: lastpass.detailed_shared_folder.user.read_only - if: ctx.json?.users?.readonly != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - - convert: - field: json.users.give - target_field: lastpass.detailed_shared_folder.user.give - if: ctx.json?.users?.give != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - - convert: - field: json.users.can_administer - target_field: lastpass.detailed_shared_folder.user.can_administer - if: ctx.json?.users?.can_administer != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - - rename: - field: json.users.sites - target_field: lastpass.detailed_shared_folder.user.site - ignore_missing: true - - append: - field: related.user - value: '{{{user.email}}}' - if: ctx.user?.email != null - allow_duplicates: false - ignore_failure: true - - remove: - field: - - json - ignore_missing: true - - remove: - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - field: - - lastpass.detailed_shared_folder.user.name - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/agent.yml b/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/base-fields.yml b/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/base-fields.yml deleted file mode 100755 index 05f4b7c85b..0000000000 --- a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module. - value: lastpass -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: lastpass.detailed_shared_folder -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/ecs.yml b/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/ecs.yml deleted file mode 100755 index e7c70ac512..0000000000 --- a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/ecs.yml +++ /dev/null @@ -1,46 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword diff --git a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/fields.yml b/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/fields.yml deleted file mode 100755 index c8338f3b13..0000000000 --- a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/fields/fields.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: lastpass.detailed_shared_folder - type: group - fields: - - name: deleted - type: boolean - - name: name - type: keyword - - name: score - type: double - - name: shared_folder - type: group - fields: - - name: id - type: keyword - - name: user - type: group - fields: - - name: can_administer - type: boolean - - name: give - type: boolean - - name: name - type: keyword - - name: read_only - type: boolean - - name: site - type: keyword - - name: super_admin - type: boolean diff --git a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/manifest.yml b/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/manifest.yml deleted file mode 100755 index d5fbb0dd94..0000000000 --- a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/manifest.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Collect Detailed Shared Folder logs from LastPass -type: logs -streams: - - input: httpjson - title: Detailed Shared Folder logs - description: Collect detailed shared folder logs from LastPass. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Duration between requests to the LastPass API. NOTE:- Supported units for this parameter are h/m/s. - default: 1h - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - lastpass-detailed_shared_folder - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve lastpass.detailed_shared_folder fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/sample_event.json b/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/sample_event.json deleted file mode 100755 index 8a28f66faa..0000000000 --- a/packages/lastpass/0.1.0/data_stream/detailed_shared_folder/sample_event.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "@timestamp": "2022-09-30T10:43:14.648Z", - "agent": { - "ephemeral_id": "9ffd2019-4880-44c2-a638-b3329f681bbf", - "hostname": "docker-fleet-agent", - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "lastpass.detailed_shared_folder", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-30T10:43:14.648Z", - "dataset": "lastpass.detailed_shared_folder", - "ingested": "2022-09-30T10:43:18Z", - "kind": "state", - "original": "{\"id\":\"101\",\"score\":99,\"sharedfoldername\":\"ThisSFName\",\"users\":{\"can_administer\":true,\"give\":false,\"readonly\":true,\"sites\":[\"aaa.com\",\"bbb.com\"],\"username\":\"joe.user@lastpass.com\"}}", - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "lastpass": { - "detailed_shared_folder": { - "name": "ThisSFName", - "score": 99, - "shared_folder": { - "id": "101" - }, - "user": { - "can_administer": true, - "give": false, - "name": "joe.user@lastpass.com", - "read_only": true, - "site": [ - "aaa.com", - "bbb.com" - ] - } - } - }, - "related": { - "user": [ - "joe.user@lastpass.com" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "lastpass-detailed_shared_folder" - ], - "user": { - "email": "joe.user@lastpass.com" - } -} \ No newline at end of file diff --git a/packages/lastpass/0.1.0/data_stream/event_report/agent/stream/httpjson.yml.hbs b/packages/lastpass/0.1.0/data_stream/event_report/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 70e38d1909..0000000000 --- a/packages/lastpass/0.1.0/data_stream/event_report/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,70 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.url: {{url}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: body.cid - value: '{{account_number}}' - - set: - target: body.provhash - value: '{{provisioning_hash}}' - - set: - target: body.cmd - value: 'reporting' - - set: - target: body.user - value: 'allusers' - - set: - target: body.data.from - value: '[[.cursor.last_time]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02 15:04:05" "Local"]]' - - set: - target: url.params.from - value: '[[.body.data.from]]' - - set: - target: body.data.to - value: '[[formatDate (now) "2006-01-02 15:04:05" "Local"]]' -response.pagination: - - set: - target: body.data.from - value: '[[if (ne .last_response.body.next nil)]][[.last_response.url.params.Get "from"]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true - - set: - target: body.data.to - value: '[[if (ne .last_response.body.next nil)]][[formatDate (parseTimestampMilli (div (toInt .last_response.body.next) 1000)) "2006-01-02 15:04:05" "Local"]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -response.split: - target: body.data - type: map - keep_parent: false - key_field: id -cursor: - last_time: - value: '[[if (eq .last_response.page 1)]][[formatDate (parseDate .last_response.body.data.Event1.Time "2006-01-02 15:04:05") "2006-01-02 15:04:05"]][[end]]' -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/lastpass/0.1.0/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml b/packages/lastpass/0.1.0/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ed8c26d115..0000000000 --- a/packages/lastpass/0.1.0/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,342 +0,0 @@ ---- -description: Pipeline for processing Event Report logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.IP_Address - - json.Username - - json.Data - - json.Action - - json.Time - target_field: '_id' - ignore_missing: true - - set: - field: event.kind - value: event - - set: - field: event.category - if: ctx.json?.Action?.contains('Login Verification Email Sent') || ctx.json?.Action?.contains('Log in') || ctx.json?.Action?.contains('Login to Admin Console') || ctx.json?.Action?.contains('SAML Login') || ctx.json?.Action?.contains('Multifactor Enabled') - value: [authentication] - - set: - field: event.category - if: ctx.json?.Action?.contains('Add Policy') || ctx.json?.Action?.contains('Delete Policy') - value: [configuration] - - set: - field: event.category - if: ctx.json?.Action?.contains('Make Admin') || ctx.json?.Action?.contains('Master Password Changed') || ctx.json?.Action?.contains('Master Password Reset by Super Admin') || ctx.json?.Action?.contains('Require Password Change') || ctx.json?.Action?.contains('Employee Account Created') || ctx.json?.Action?.contains('Created LastPass Account') || ctx.json?.Action?.contains('Employee Account Deleted') || ctx.json?.Action?.contains('Remove Admin') || ctx.json?.Action?.contains('Create Group') || ctx.json?.Action?.contains('Adding User to Group') - value: [iam] - - set: - field: event.type - if: ctx.json?.Action?.contains('Login Verification Email Sent') || ctx.json?.Action?.contains('Log in') || ctx.json?.Action?.contains('Login to Admin Console') || ctx.json?.Action?.contains('SAML Login') || ctx.json?.Action?.contains('Open Secure Note') || ctx.json?.Action?.contains('Failed Login Attempt') - value: [access] - - set: - field: event.type - if: ctx.json?.Action?.contains('Make Admin') - value: [admin] - - set: - field: event.type - if: ctx.json?.Action?.contains('Enterprise API Secret regenerated') || ctx.json?.Action?.contains('Update Folder Permissions') || ctx.json?.Action?.contains('Master Password Changed') || ctx.json?.Action?.contains('Master Password Reset by Super Admin') || ctx.json?.Action?.contains('Edit Secure Note') || ctx.json?.Action?.contains('Renamed Shared Folder') || ctx.json?.Action?.contains('Move to Shared Folder') || ctx.json?.Action?.contains('Move from Shared Folder') || ctx.json?.Action?.contains('Limit Shared Folder') || ctx.json?.Action?.contains('Update Folder Permissions') - value: [change] - - set: - field: event.type - if: ctx.json?.Action?.contains('Employee Account Created') || ctx.json?.Action?.contains('Created LastPass Account') || ctx.json?.Action?.contains('Created Shared Folder') || ctx.json?.Action?.contains('Add Secure Note') || ctx.json?.Action?.contains('Site Added') || ctx.json?.Action?.contains('Add to Shared Folder') || ctx.json?.Action?.contains('Add Policy') - value: [creation] - - set: - field: event.type - if: ctx.json?.Action?.contains('Deleted Sites') || ctx.json?.Action?.contains('Delete Policy') || ctx.json?.Action?.contains('Deleted Shared Folder') || ctx.json?.Action?.contains('Employee Account Deleted') || ctx.json?.Action?.contains('Remove Admin') || ctx.json?.Action?.contains('Removed From Shared Folder') || ctx.json?.Action?.contains('Delete Shared Sites') || ctx.json?.Action?.contains('Deleted Sites') - value: [deletion] - - set: - field: event.type - if: ctx.json?.Action?.contains('Create Group') || ctx.json?.Action?.contains('Adding User to Group') - value: [group,creation] - - set: - field: event.type - if: ctx.json?.Action?.contains('Get Shared Folder Data') || ctx.json?.Action?.contains('Get User Data') || ctx.json?.Action?.contains('Employee Invited') || ctx.json?.Action?.contains('Reporting') || ctx.json?.Action?.contains('Require Password Change') || ctx.json?.Action?.contains('Multifactor Enabled') - value: [info] - - date: - field: json.Time - if: ctx.json?.Time != null && ctx.json.Time != '' - target_field: lastpass.event_report.time - formats: - - ISO8601 - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss ZZZZ - - yyyy-MM-dd HH:mm:ssZZZZ - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: lastpass.event_report.time - ignore_failure: true - - rename: - field: json.Action - target_field: lastpass.event_report.action - ignore_missing: true - - set: - field: event.action - copy_from: lastpass.event_report.action - ignore_failure: true - - convert: - field: json.IP_Address - target_field: lastpass.event_report.ip - if: ctx.json?.IP_Address != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: lastpass.event_report.ip - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - rename: - field: json.Username - target_field: lastpass.event_report.user_name - ignore_missing: true - - rename: - field: json.Data - target_field: lastpass.event_report.data.original - ignore_missing: true - - split: - if: ctx.event?.action?.contains('Deleted Sites') - field: lastpass.event_report.data.original - separator: ',' - target_field: lastpass.event_report.data.deleted_site - ignore_failure: true - - split: - if: ctx.event?.action?.contains('Employee Invited') || ctx.event?.action?.contains('Employee Account Created') || ctx.event?.action?.contains('Employee Account Deleted') - field: lastpass.event_report.data.original - separator: ',' - target_field: lastpass.event_report.data.user_email - ignore_failure: true - - script: - description: Separate Shared Folder Name and User Email with comma(',') in Limit Shared Folder Event Type. - lang: painless - source: - if (ctx.event?.action?.contains('Limit Shared Folder')) { - int indx = ctx.lastpass.event_report.data.original.lastIndexOf(' '); - String str = ctx.lastpass.event_report.data.original.substring(0,indx)+ ',' + ctx.lastpass.event_report.data.original.substring(indx+1); - ctx._temp = str; - } - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Log in') - patterns: - - "^%{GREEDYDATA:lastpass.event_report.data.login_site}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('SAML Login') - patterns: - - "^%{GREEDYDATA:lastpass.event_report.data.saml_login}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Failed Login Attempt') - patterns: - - "^%{GREEDYDATA:lastpass.event_report.data.failed_login}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Login to Admin Console') || ctx.event?.action?.contains('Make Admin') || ctx.event?.action?.contains('Remove Admin') || ctx.event?.action?.contains('Require Password Change') || ctx.event?.action?.contains('Master Password Reset by Super Admin') - patterns: - - "^%{EMAILADDRESS:lastpass.event_report.data.user_email}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Site Added') - patterns: - - "^%{GREEDYDATA:lastpass.event_report.data.added_site}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Created Shared Folder') || ctx.event?.action?.contains('Deleted Shared Folder') - patterns: - - "^%{DATA:lastpass.event_report.data.shared_folder_name}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Add Secure Note') || ctx.event?.action?.contains('Open Secure Note') - patterns: - - "^Secure Note\\s+\\(%{DATA:lastpass.event_report.data.secure_note}\\)$" - - "^Secure Note\\s+\\(%{DATA:lastpass.event_report.data.secure_note}\\)\\s+from\\s+%{DATA:lastpass.event_report.data.shared_folder_name}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Edit Secure Note') - patterns: - - "^Secure Note\\s+\\(%{DATA:lastpass.event_report.data.secure_note}\\)$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Add to Shared Folder') - patterns: - - "^\\'%{DATA:lastpass.event_report.data.shared_folder_name}\\'\\s+\\'%{EMAILADDRESS:lastpass.event_report.data.user_email}\\'$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Create Group') - patterns: - - "^\\'%{DATA:lastpass.event_report.data.group_name}\\'$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Adding User to Group') - patterns: - - "^%{EMAILADDRESS:lastpass.event_report.data.user_email}\\s+\\-\\s+%{DATA:lastpass.event_report.data.group_name}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Created LastPass Account') - patterns: - - "^%{EMAILADDRESS:lastpass.event_report.data.user_email}\\s*\\-Shared\\-\\s*%{DATA:lastpass.event_report.data.shared_folder_name}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Update Folder Permissions') - patterns: - - "^\\'%{DATA:lastpass.event_report.data.shared_folder_name}\\'\\s+\\'%{EMAILADDRESS:lastpass.event_report.data.user_email}\\'\\s+\\'Read only\\:%{DATA:lastpass.event_report.data.shared_folder_user_permissions.read_only}\\s+Admin\\:%{DATA:lastpass.event_report.data.shared_folder_user_permissions.admin}\\s+Hide PW\\:%{DATA:lastpass.event_report.data.shared_folder_user_permissions.hide_password}\\'$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Renamed Shared Folder') - patterns: - - "^\\'%{DATA:lastpass.event_report.data.shared_folder_name}\\'\\s+\\'%{DATA:lastpass.event_report.data.renamed_shared_folder_name}\\'$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Move to Shared Folder') - patterns: - - "^\\s+to\\s+%{DATA:lastpass.event_report.data.shared_folder_name}$" - - "^%{GREEDYDATA:lastpass.event_report.data.site}\\s+to\\s+%{DATA:lastpass.event_report.data.shared_folder_name}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Move from Shared Folder') - patterns: - - "^ from INVALID SHARED FOLDER$" - - "^\\s+from\\s+%{DATA:lastpass.event_report.data.shared_folder_name}$" - - "^%{GREEDYDATA:lastpass.event_report.data.site}\\s+from\\s+%{DATA:lastpass.event_report.data.shared_folder_name}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Delete Shared Sites') - patterns: - - "^\\s+from\\s+%{DATA:lastpass.event_report.data.shared_folder_name}$" - - "^%{GREEDYDATA:lastpass.event_report.data.deleted_site}\\s+from\\s+%{DATA:lastpass.event_report.data.shared_folder_name}$" - ignore_failure: true - - grok: - field: _temp - if: ctx.event?.action?.contains('Limit Shared Folder') - patterns: - - "^%{DATA:lastpass.event_report.data.shared_folder_name}\\,%{EMAILADDRESS:lastpass.event_report.data.user_email}$" - ignore_failure: true - - grok: - field: lastpass.event_report.data.original - if: ctx.event?.action?.contains('Removed From Shared Folder') - patterns: - - "^\\'%{DATA:lastpass.event_report.data.shared_folder_name}\\'\\s+\\'%{EMAILADDRESS:lastpass.event_report.data.user_email}\\'$" - ignore_failure: true - - set: - field: user.group.name - copy_from: lastpass.event_report.data.group_name - ignore_failure: true - - foreach: - if: ctx.event?.action?.contains('Employee Invited') || ctx.event?.action?.contains('Employee Account Created') || ctx.event?.action?.contains('Employee Account Deleted') - field: lastpass.event_report.data.user_email - processor: - append: - field: user.email - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - append: - if: "!(ctx.event?.action?.contains('Employee Invited') || ctx.event?.action?.contains('Employee Account Created') || ctx.event?.action?.contains('Employee Account Deleted'))" - field: user.email - value: - - '{{{lastpass.event_report.data.user_email}}}' - allow_duplicates: false - ignore_failure: true - - append: - field: user.email - value: - - '{{{lastpass.event_report.user_name}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: user.email - processor: - append: - field: related.user - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - remove: - field: - - json - - _temp - ignore_missing: true - - remove: - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - field: - - lastpass.event_report.time - - lastpass.event_report.action - - lastpass.event_report.ip - - lastpass.event_report.user_name - - lastpass.event_report.data.user_email - - lastpass.event_report.data.group_name - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/lastpass/0.1.0/data_stream/event_report/fields/agent.yml b/packages/lastpass/0.1.0/data_stream/event_report/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/lastpass/0.1.0/data_stream/event_report/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/lastpass/0.1.0/data_stream/event_report/fields/base-fields.yml b/packages/lastpass/0.1.0/data_stream/event_report/fields/base-fields.yml deleted file mode 100755 index 51ce20f26b..0000000000 --- a/packages/lastpass/0.1.0/data_stream/event_report/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module. - value: lastpass -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: lastpass.event_report -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/lastpass/0.1.0/data_stream/event_report/fields/ecs.yml b/packages/lastpass/0.1.0/data_stream/event_report/fields/ecs.yml deleted file mode 100755 index 7bdf37c4ab..0000000000 --- a/packages/lastpass/0.1.0/data_stream/event_report/fields/ecs.yml +++ /dev/null @@ -1,85 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: source.geo.location.lon - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword diff --git a/packages/lastpass/0.1.0/data_stream/event_report/fields/fields.yml b/packages/lastpass/0.1.0/data_stream/event_report/fields/fields.yml deleted file mode 100755 index 601c0e64b8..0000000000 --- a/packages/lastpass/0.1.0/data_stream/event_report/fields/fields.yml +++ /dev/null @@ -1,47 +0,0 @@ -- name: lastpass.event_report - type: group - fields: - - name: action - type: keyword - - name: data - type: group - fields: - - name: added_site - type: keyword - - name: deleted_site - type: keyword - - name: failed_login - type: keyword - - name: group_name - type: keyword - - name: login_site - type: keyword - - name: original - type: text - - name: renamed_shared_folder_name - type: keyword - - name: saml_login - type: keyword - - name: secure_note - type: keyword - - name: shared_folder_name - type: keyword - - name: shared_folder_user_permissions - type: group - fields: - - name: admin - type: keyword - - name: hide_password - type: keyword - - name: read_only - type: keyword - - name: site - type: keyword - - name: user_email - type: keyword - - name: ip - type: ip - - name: time - type: date - - name: user_name - type: keyword diff --git a/packages/lastpass/0.1.0/data_stream/event_report/manifest.yml b/packages/lastpass/0.1.0/data_stream/event_report/manifest.yml deleted file mode 100755 index 9a2b2122ad..0000000000 --- a/packages/lastpass/0.1.0/data_stream/event_report/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -title: Collect Event Report logs from LastPass -type: logs -streams: - - input: httpjson - title: Event Report logs - description: Collect event report logs from LastPass. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the event report from LastPass. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the LastPass API. NOTE:- Supported units for this parameter are h/m/s. - default: 1h - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - lastpass-event_report - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve lastpass.event_report fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/lastpass/0.1.0/data_stream/event_report/sample_event.json b/packages/lastpass/0.1.0/data_stream/event_report/sample_event.json deleted file mode 100755 index a475d69598..0000000000 --- a/packages/lastpass/0.1.0/data_stream/event_report/sample_event.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "@timestamp": "2015-07-17T09:51:51.000Z", - "agent": { - "ephemeral_id": "13953b06-3145-46e7-a5fd-faa2fa36dff5", - "hostname": "docker-fleet-agent", - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "lastpass.event_report", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "Failed Login Attempt", - "agent_id_status": "verified", - "created": "2022-09-30T10:43:58.475Z", - "dataset": "lastpass.event_report", - "ingested": "2022-09-30T10:44:02Z", - "kind": "event", - "original": "{\"Action\":\"Failed Login Attempt\",\"Data\":\"\",\"IP_Address\":\"10.16.21.21\",\"Time\":\"2015-07-17 09:51:51\",\"Username\":\"j.user@example.com\",\"id\":\"Event1\"}", - "type": [ - "access" - ] - }, - "input": { - "type": "httpjson" - }, - "lastpass": { - "event_report": { - "action": "Failed Login Attempt", - "ip": "10.16.21.21", - "time": "2015-07-17T09:51:51.000Z", - "user_name": "j.user@example.com" - } - }, - "related": { - "ip": [ - "10.16.21.21" - ], - "user": [ - "j.user@example.com" - ] - }, - "source": { - "ip": "10.16.21.21" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "lastpass-event_report" - ], - "user": { - "email": [ - "j.user@example.com" - ] - } -} \ No newline at end of file diff --git a/packages/lastpass/0.1.0/data_stream/user/agent/stream/httpjson.yml.hbs b/packages/lastpass/0.1.0/data_stream/user/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 5622ed09c3..0000000000 --- a/packages/lastpass/0.1.0/data_stream/user/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,56 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.url: {{url}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: body.cid - value: '{{account_number}}' - - set: - target: body.provhash - value: '{{provisioning_hash}}' - - set: - target: body.cmd - value: 'getuserdata' - - set: - target: body.data.pagesize - value: 2000 - - set: - target: body.data.pageindex - value: 0 -response.pagination: - - set: - target: body.data.pageindex - value: '[[if (eq (toInt .last_response.body.count) (toInt .body.data.pagesize))]][[.last_response.page]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -response.split: - target: body.Users - type: map - keep_parent: false - key_field: id -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/lastpass/0.1.0/data_stream/user/elasticsearch/ingest_pipeline/default.yml b/packages/lastpass/0.1.0/data_stream/user/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0bb9fed6e0..0000000000 --- a/packages/lastpass/0.1.0/data_stream/user/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,241 +0,0 @@ ---- -description: Pipeline for processing User logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: state - - set: - field: event.category - value: [iam] - - set: - field: event.type - value: [user] - - date: - field: json.created - target_field: lastpass.user.created - formats: - - ISO8601 - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss ZZZZ - - yyyy-MM-dd HH:mm:ssZZZZ - if: ctx.json?.created != null && ctx.json.created != '' - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.id - target_field: lastpass.user.id - ignore_missing: true - - set: - field: user.id - copy_from: lastpass.user.id - ignore_failure: true - - rename: - field: json.username - target_field: lastpass.user.user_name - ignore_missing: true - - set: - field: user.email - copy_from: lastpass.user.user_name - ignore_failure: true - - rename: - field: json.fullname - target_field: lastpass.user.full_name - ignore_missing: true - - set: - field: user.full_name - copy_from: lastpass.user.full_name - ignore_failure: true - - rename: - field: json.groups - target_field: lastpass.user.group - ignore_missing: true - - set: - field: user.group.name - copy_from: lastpass.user.group - ignore_failure: true - - convert: - field: json.applications - target_field: lastpass.user.application - if: ctx.json?.applications != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.attachments - target_field: lastpass.user.attachment - if: ctx.json?.attachments != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.disabled - target_field: lastpass.user.disabled - if: ctx.json?.disabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.duousername - target_field: lastpass.user.duo.user_name - ignore_missing: true - - convert: - field: json.formfills - target_field: lastpass.user.form_fill - if: ctx.json?.formfills != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.last_login - target_field: lastpass.user.last_login - formats: - - ISO8601 - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss ZZZZ - - yyyy-MM-dd HH:mm:ssZZZZ - if: ctx.json?.last_login != null && ctx.json.last_login != '' - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.last_pw_change - target_field: lastpass.user.last_password_change - formats: - - ISO8601 - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss ZZZZ - - yyyy-MM-dd HH:mm:ssZZZZ - if: ctx.json?.last_pw_change != null && ctx.json.last_pw_change != '' - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.linked - target_field: lastpass.user.linked - ignore_missing: true - - convert: - field: json.mpstrength - target_field: lastpass.user.master_password_strength - if: ctx.json?.mpstrength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.neverloggedin - target_field: lastpass.user.never_logged_in - if: ctx.json?.neverloggedin != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.notes - target_field: lastpass.user.note - if: ctx.json?.notes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.password_reset_required - target_field: lastpass.user.password_reset_required - if: ctx.json?.password_reset_required != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.sites - target_field: lastpass.user.sites - ignore_missing: true - - convert: - field: json.totalscore - target_field: lastpass.user.total_score - if: ctx.json?.totalscore != '' - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.user - value: - - '{{{user.email}}}' - - '{{{user.full_name}}}' - allow_duplicates: false - ignore_failure: true - - remove: - field: - - json - ignore_missing: true - - remove: - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - field: - - lastpass.user.id - - lastpass.user.user_name - - lastpass.user.full_name - - lastpass.user.group - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/lastpass/0.1.0/data_stream/user/fields/agent.yml b/packages/lastpass/0.1.0/data_stream/user/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/lastpass/0.1.0/data_stream/user/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/lastpass/0.1.0/data_stream/user/fields/base-fields.yml b/packages/lastpass/0.1.0/data_stream/user/fields/base-fields.yml deleted file mode 100755 index 3627d87286..0000000000 --- a/packages/lastpass/0.1.0/data_stream/user/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module. - value: lastpass -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: lastpass.user -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/lastpass/0.1.0/data_stream/user/fields/ecs.yml b/packages/lastpass/0.1.0/data_stream/user/fields/ecs.yml deleted file mode 100755 index d71a0637d5..0000000000 --- a/packages/lastpass/0.1.0/data_stream/user/fields/ecs.yml +++ /dev/null @@ -1,66 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/lastpass/0.1.0/data_stream/user/fields/fields.yml b/packages/lastpass/0.1.0/data_stream/user/fields/fields.yml deleted file mode 100755 index b4d7391e00..0000000000 --- a/packages/lastpass/0.1.0/data_stream/user/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: lastpass.user - type: group - fields: - - name: application - type: long - - name: attachment - type: long - - name: created - type: date - - name: disabled - type: boolean - - name: duo - type: group - fields: - - name: user_name - type: keyword - - name: form_fill - type: long - - name: full_name - type: keyword - - name: group - type: keyword - - name: id - type: keyword - - name: last_login - type: date - - name: last_password_change - type: date - - name: linked - type: keyword - - name: master_password_strength - type: long - - name: never_logged_in - type: boolean - - name: note - type: long - - name: password_reset_required - type: boolean - - name: sites - type: long - - name: total_score - type: double - - name: user_name - type: keyword diff --git a/packages/lastpass/0.1.0/data_stream/user/manifest.yml b/packages/lastpass/0.1.0/data_stream/user/manifest.yml deleted file mode 100755 index 1b62503cb9..0000000000 --- a/packages/lastpass/0.1.0/data_stream/user/manifest.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Collect User logs from LastPass -type: logs -streams: - - input: httpjson - title: User logs - description: Collect user logs from LastPass. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Duration between requests to the LastPass API. NOTE:- Supported units for this parameter are h/m/s. - default: 1h - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - lastpass-user - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve lastpass.user fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/lastpass/0.1.0/data_stream/user/sample_event.json b/packages/lastpass/0.1.0/data_stream/user/sample_event.json deleted file mode 100755 index efc9ed9fd8..0000000000 --- a/packages/lastpass/0.1.0/data_stream/user/sample_event.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "@timestamp": "2022-09-30T10:44:43.542Z", - "agent": { - "ephemeral_id": "7b68e43e-222f-4be8-a47a-53f48a2ac80d", - "hostname": "docker-fleet-agent", - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "lastpass.user", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-09-30T10:44:43.542Z", - "dataset": "lastpass.user", - "ingested": "2022-09-30T10:44:47Z", - "kind": "state", - "original": "{\"admin\":false,\"applications\":0,\"attachments\":1,\"created\":\"2014-03-12 10:02:56\",\"disabled\":false,\"formfills\":2,\"fullname\":\"Ned Flanders\",\"groups\":[\"Domain Admins\",\"Dev Team\",\"Support Team\"],\"id\":\"101\",\"last_login\":\"2015-05-29 11:45:05\",\"last_pw_change\":\"2015-05-19 10:58:33\",\"linked\":\"personal.account@mydomain.com\",\"mpstrength\":\"100\",\"neverloggedin\":false,\"notes\":19,\"password_reset_required\":false,\"sites\":72,\"username\":\"user1@lastpass.com\"}", - "type": [ - "user" - ] - }, - "input": { - "type": "httpjson" - }, - "lastpass": { - "user": { - "application": 0, - "attachment": 1, - "created": "2014-03-12T10:02:56.000Z", - "disabled": false, - "form_fill": 2, - "full_name": "Ned Flanders", - "group": [ - "Domain Admins", - "Dev Team", - "Support Team" - ], - "id": "101", - "last_login": "2015-05-29T11:45:05.000Z", - "last_password_change": "2015-05-19T10:58:33.000Z", - "linked": "personal.account@mydomain.com", - "master_password_strength": 100, - "never_logged_in": false, - "note": 19, - "password_reset_required": false, - "sites": 72, - "user_name": "user1@lastpass.com" - } - }, - "related": { - "user": [ - "user1@lastpass.com", - "Ned Flanders" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "lastpass-user" - ], - "user": { - "email": "user1@lastpass.com", - "full_name": "Ned Flanders", - "group": { - "name": [ - "Domain Admins", - "Dev Team", - "Support Team" - ] - }, - "id": "101" - } -} \ No newline at end of file diff --git a/packages/lastpass/0.1.0/docs/README.md b/packages/lastpass/0.1.0/docs/README.md deleted file mode 100755 index c1f5a4400d..0000000000 --- a/packages/lastpass/0.1.0/docs/README.md +++ /dev/null @@ -1,525 +0,0 @@ -# LastPass - -## Overview - -The [LastPass](https://www.lastpass.com/) integration allows users to monitor Detailed Shared Folder Data, User Data, and Event Report Logs. LastPass is a cloud-based password manager that stores users' login information online in a secure database and allows users to generate unique passwords for each site they visit. In addition, LastPass stores all users' passwords and enables them to log into their accounts with ease. It’s available on all major platforms, including mobile devices, computers, and browser extensions. - -## Data streams - -The LastPass integration collects logs for three types of events: Detailed Shared Folder Data, User Data, and Event Report. - -**Detailed Shared Folder Data** is used to get a detailed list of all shared folders, the sites within them, and the permissions granted to them. See more details in the doc [here](https://support.lastpass.com/help/get-detailed-shared-folder-data-via-lastpass-api). - -**User Data** is used to get account details about the user. See more details in the doc [here](https://support.lastpass.com/help/get-user-data-via-lastpass-api). - -**Event Report** is used to gather information about events that have taken place in the user's LastPass Business account. See more details in the doc [here](https://support.lastpass.com/help/event-reporting-via-lastpass-api). - -## Requirements - -Elasticsearch is needed to store and search data, and Kibana is needed for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. - - - **NOTE** - - A **business account** is required to use the LastPass integration. - - The LastPass **Provisioning API** does not support **managing groups for pre-configured SSO (Cloud) apps** for LastPass Business accounts. - -## Setup - -### To collect data from the LastPass REST APIs, follow the below steps: - -1. Log in with the user's **email address** and **master password** to access the [Admin Console](https://admin.lastpass.com). -2. If prompted, complete the steps for **multifactor authentication** (if it is enabled for the user account). -3. To get an **Account Number(CID)**, follow the below steps: - - On the **Dashboard** tab, the **Account Number(CID)** is located at the top of the page. it is preceded by the words **Account number**. - ![LastPass Account Number](../img/lastpass-account-number-screenshot.png) -4. To create a **Provisioning Hash**, follow the below steps: - - Go to **Advanced** -> **Enterprise API**. - - Choose from the following options: - - If the user has not previously created a provisioning hash, click **Create provisioning hash** -> **OK**, then the provisioning hash is shown at the top of the page. - - If the user previously created a provisioning hash but has since forgotten it, the user can generate a new one. - - **NOTE**: If the user has already created a provisioning hash, then generating a new one will invalidate the previous hash, and will require updating all integrations with the newly generated hash. - - To proceed with creating a new provisioning hash, click **Reset your provisioning hash** -> **OK**, then a new provisioning hash is shown at the top of the page. - ![LastPass Provisioning Hash](../img/lastpass-provisioning-hash-screenshot.png) - -## Logs reference - -### detailed_shared_folder - -This is the `detailed_shared_folder` dataset. - -#### Example - -An example event for `detailed_shared_folder` looks as following: - -```json -{ - "@timestamp": "2022-09-30T10:43:14.648Z", - "agent": { - "ephemeral_id": "9ffd2019-4880-44c2-a638-b3329f681bbf", - "hostname": "docker-fleet-agent", - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "lastpass.detailed_shared_folder", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-30T10:43:14.648Z", - "dataset": "lastpass.detailed_shared_folder", - "ingested": "2022-09-30T10:43:18Z", - "kind": "state", - "original": "{\"id\":\"101\",\"score\":99,\"sharedfoldername\":\"ThisSFName\",\"users\":{\"can_administer\":true,\"give\":false,\"readonly\":true,\"sites\":[\"aaa.com\",\"bbb.com\"],\"username\":\"joe.user@lastpass.com\"}}", - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "lastpass": { - "detailed_shared_folder": { - "name": "ThisSFName", - "score": 99, - "shared_folder": { - "id": "101" - }, - "user": { - "can_administer": true, - "give": false, - "name": "joe.user@lastpass.com", - "read_only": true, - "site": [ - "aaa.com", - "bbb.com" - ] - } - } - }, - "related": { - "user": [ - "joe.user@lastpass.com" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "lastpass-detailed_shared_folder" - ], - "user": { - "email": "joe.user@lastpass.com" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| lastpass.detailed_shared_folder.deleted | | boolean | -| lastpass.detailed_shared_folder.name | | keyword | -| lastpass.detailed_shared_folder.score | | double | -| lastpass.detailed_shared_folder.shared_folder.id | | keyword | -| lastpass.detailed_shared_folder.user.can_administer | | boolean | -| lastpass.detailed_shared_folder.user.give | | boolean | -| lastpass.detailed_shared_folder.user.name | | keyword | -| lastpass.detailed_shared_folder.user.read_only | | boolean | -| lastpass.detailed_shared_folder.user.site | | keyword | -| lastpass.detailed_shared_folder.user.super_admin | | boolean | -| log.offset | Log offset | long | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | - - -### event_report - -This is the `event_report` dataset. - -#### Example - -An example event for `event_report` looks as following: - -```json -{ - "@timestamp": "2015-07-17T09:51:51.000Z", - "agent": { - "ephemeral_id": "13953b06-3145-46e7-a5fd-faa2fa36dff5", - "hostname": "docker-fleet-agent", - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "lastpass.event_report", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "Failed Login Attempt", - "agent_id_status": "verified", - "created": "2022-09-30T10:43:58.475Z", - "dataset": "lastpass.event_report", - "ingested": "2022-09-30T10:44:02Z", - "kind": "event", - "original": "{\"Action\":\"Failed Login Attempt\",\"Data\":\"\",\"IP_Address\":\"10.16.21.21\",\"Time\":\"2015-07-17 09:51:51\",\"Username\":\"j.user@example.com\",\"id\":\"Event1\"}", - "type": [ - "access" - ] - }, - "input": { - "type": "httpjson" - }, - "lastpass": { - "event_report": { - "action": "Failed Login Attempt", - "ip": "10.16.21.21", - "time": "2015-07-17T09:51:51.000Z", - "user_name": "j.user@example.com" - } - }, - "related": { - "ip": [ - "10.16.21.21" - ], - "user": [ - "j.user@example.com" - ] - }, - "source": { - "ip": "10.16.21.21" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "lastpass-event_report" - ], - "user": { - "email": [ - "j.user@example.com" - ] - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| lastpass.event_report.action | | keyword | -| lastpass.event_report.data.added_site | | keyword | -| lastpass.event_report.data.deleted_site | | keyword | -| lastpass.event_report.data.failed_login | | keyword | -| lastpass.event_report.data.group_name | | keyword | -| lastpass.event_report.data.login_site | | keyword | -| lastpass.event_report.data.original | | text | -| lastpass.event_report.data.renamed_shared_folder_name | | keyword | -| lastpass.event_report.data.saml_login | | keyword | -| lastpass.event_report.data.secure_note | | keyword | -| lastpass.event_report.data.shared_folder_name | | keyword | -| lastpass.event_report.data.shared_folder_user_permissions.admin | | keyword | -| lastpass.event_report.data.shared_folder_user_permissions.hide_password | | keyword | -| lastpass.event_report.data.shared_folder_user_permissions.read_only | | keyword | -| lastpass.event_report.data.site | | keyword | -| lastpass.event_report.data.user_email | | keyword | -| lastpass.event_report.ip | | ip | -| lastpass.event_report.time | | date | -| lastpass.event_report.user_name | | keyword | -| log.offset | Log offset | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location.lat | Longitude and latitude. | geo_point | -| source.geo.location.lon | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.group.name | Name of the group. | keyword | - - -### user - -This is the `user` dataset. - -#### Example - -An example event for `user` looks as following: - -```json -{ - "@timestamp": "2022-09-30T10:44:43.542Z", - "agent": { - "ephemeral_id": "7b68e43e-222f-4be8-a47a-53f48a2ac80d", - "hostname": "docker-fleet-agent", - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "lastpass.user", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "c8a45af4-c8db-4a9e-bad1-f0fd8ef21467", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-09-30T10:44:43.542Z", - "dataset": "lastpass.user", - "ingested": "2022-09-30T10:44:47Z", - "kind": "state", - "original": "{\"admin\":false,\"applications\":0,\"attachments\":1,\"created\":\"2014-03-12 10:02:56\",\"disabled\":false,\"formfills\":2,\"fullname\":\"Ned Flanders\",\"groups\":[\"Domain Admins\",\"Dev Team\",\"Support Team\"],\"id\":\"101\",\"last_login\":\"2015-05-29 11:45:05\",\"last_pw_change\":\"2015-05-19 10:58:33\",\"linked\":\"personal.account@mydomain.com\",\"mpstrength\":\"100\",\"neverloggedin\":false,\"notes\":19,\"password_reset_required\":false,\"sites\":72,\"username\":\"user1@lastpass.com\"}", - "type": [ - "user" - ] - }, - "input": { - "type": "httpjson" - }, - "lastpass": { - "user": { - "application": 0, - "attachment": 1, - "created": "2014-03-12T10:02:56.000Z", - "disabled": false, - "form_fill": 2, - "full_name": "Ned Flanders", - "group": [ - "Domain Admins", - "Dev Team", - "Support Team" - ], - "id": "101", - "last_login": "2015-05-29T11:45:05.000Z", - "last_password_change": "2015-05-19T10:58:33.000Z", - "linked": "personal.account@mydomain.com", - "master_password_strength": 100, - "never_logged_in": false, - "note": 19, - "password_reset_required": false, - "sites": 72, - "user_name": "user1@lastpass.com" - } - }, - "related": { - "user": [ - "user1@lastpass.com", - "Ned Flanders" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "lastpass-user" - ], - "user": { - "email": "user1@lastpass.com", - "full_name": "Ned Flanders", - "group": { - "name": [ - "Domain Admins", - "Dev Team", - "Support Team" - ] - }, - "id": "101" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| lastpass.user.application | | long | -| lastpass.user.attachment | | long | -| lastpass.user.created | | date | -| lastpass.user.disabled | | boolean | -| lastpass.user.duo.user_name | | keyword | -| lastpass.user.form_fill | | long | -| lastpass.user.full_name | | keyword | -| lastpass.user.group | | keyword | -| lastpass.user.id | | keyword | -| lastpass.user.last_login | | date | -| lastpass.user.last_password_change | | date | -| lastpass.user.linked | | keyword | -| lastpass.user.master_password_strength | | long | -| lastpass.user.never_logged_in | | boolean | -| lastpass.user.note | | long | -| lastpass.user.password_reset_required | | boolean | -| lastpass.user.sites | | long | -| lastpass.user.total_score | | double | -| lastpass.user.user_name | | keyword | -| log.offset | Log offset | long | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.name | Name of the group. | keyword | -| user.id | Unique identifier of the user. | keyword | - diff --git a/packages/lastpass/0.1.0/img/lastpass-account-number-screenshot.png b/packages/lastpass/0.1.0/img/lastpass-account-number-screenshot.png deleted file mode 100755 index 0b77531ace..0000000000 Binary files a/packages/lastpass/0.1.0/img/lastpass-account-number-screenshot.png and /dev/null differ diff --git a/packages/lastpass/0.1.0/img/lastpass-dashboard-screenshot.png b/packages/lastpass/0.1.0/img/lastpass-dashboard-screenshot.png deleted file mode 100755 index 064036ecf7..0000000000 Binary files a/packages/lastpass/0.1.0/img/lastpass-dashboard-screenshot.png and /dev/null differ diff --git a/packages/lastpass/0.1.0/img/lastpass-logo.svg b/packages/lastpass/0.1.0/img/lastpass-logo.svg deleted file mode 100755 index 46981ee75d..0000000000 --- a/packages/lastpass/0.1.0/img/lastpass-logo.svg +++ /dev/null @@ -1,395 +0,0 @@ - - - - diff --git a/packages/lastpass/0.1.0/img/lastpass-provisioning-hash-screenshot.png b/packages/lastpass/0.1.0/img/lastpass-provisioning-hash-screenshot.png deleted file mode 100755 index e218e1697d..0000000000 Binary files a/packages/lastpass/0.1.0/img/lastpass-provisioning-hash-screenshot.png and /dev/null differ diff --git a/packages/lastpass/0.1.0/kibana/dashboard/lastpass-45d2e670-244b-11ed-80ca-25e921dc7ac2.json b/packages/lastpass/0.1.0/kibana/dashboard/lastpass-45d2e670-244b-11ed-80ca-25e921dc7ac2.json deleted file mode 100755 index efdd63d5c6..0000000000 --- a/packages/lastpass/0.1.0/kibana/dashboard/lastpass-45d2e670-244b-11ed-80ca-25e921dc7ac2.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "Overview of LastPass Event Report.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.event_report\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.event_report\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8700085c-cade-4c46-98ff-1c9f5a8c4b80\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8700085c-cade-4c46-98ff-1c9f5a8c4b80\":{\"columnOrder\":[\"eea26dba-3d71-45f4-bc1c-45546c85d832\"],\"columns\":{\"eea26dba-3d71-45f4-bc1c-45546c85d832\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed Login Attempt\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.event_report\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.event_report\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"Failed Login Attempt\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"Failed Login Attempt\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eea26dba-3d71-45f4-bc1c-45546c85d832\",\"layerId\":\"8700085c-cade-4c46-98ff-1c9f5a8c4b80\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"aff5a2ba-4ab4-4b85-93ac-716b90c7a01a\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"aff5a2ba-4ab4-4b85-93ac-716b90c7a01a\",\"title\":\"Number of Failed Login Attempts [Logs LastPass]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8700085c-cade-4c46-98ff-1c9f5a8c4b80\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8700085c-cade-4c46-98ff-1c9f5a8c4b80\":{\"columnOrder\":[\"eea26dba-3d71-45f4-bc1c-45546c85d832\"],\"columns\":{\"eea26dba-3d71-45f4-bc1c-45546c85d832\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Successful Login Attempts\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.event_report\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.event_report\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"Log in\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"Log in\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eea26dba-3d71-45f4-bc1c-45546c85d832\",\"layerId\":\"8700085c-cade-4c46-98ff-1c9f5a8c4b80\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"70c747c4-8342-49fe-a5fe-6273c4fcbef6\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"70c747c4-8342-49fe-a5fe-6273c4fcbef6\",\"title\":\"Number of Successful Login Attempts [Logs LastPass]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8700085c-cade-4c46-98ff-1c9f5a8c4b80\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8700085c-cade-4c46-98ff-1c9f5a8c4b80\":{\"columnOrder\":[\"eea26dba-3d71-45f4-bc1c-45546c85d832\"],\"columns\":{\"eea26dba-3d71-45f4-bc1c-45546c85d832\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Successful Login Attempts in Admin Console\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.event_report\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.event_report\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"Login to Admin Console\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"Login to Admin Console\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eea26dba-3d71-45f4-bc1c-45546c85d832\",\"layerId\":\"8700085c-cade-4c46-98ff-1c9f5a8c4b80\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"3226548a-7d30-43be-a4af-f4d0c259bd01\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3226548a-7d30-43be-a4af-f4d0c259bd01\",\"title\":\"Number of Successful Login Attempts in Admin Console [Logs LastPass]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1bc44b1-ff39-483b-bf69-c0cd1a922960\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1bc44b1-ff39-483b-bf69-c0cd1a922960\":{\"columnOrder\":[\"cb91b3d3-b960-4562-a562-42a6d7ecd85d\",\"27e5af35-ba47-42c3-9d2c-012bfe56103e\"],\"columns\":{\"27e5af35-ba47-42c3-9d2c-012bfe56103e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb91b3d3-b960-4562-a562-42a6d7ecd85d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Event Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"27e5af35-ba47-42c3-9d2c-012bfe56103e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.event_report\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.event_report\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"cb91b3d3-b960-4562-a562-42a6d7ecd85d\"],\"layerId\":\"c1bc44b1-ff39-483b-bf69-c0cd1a922960\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"27e5af35-ba47-42c3-9d2c-012bfe56103e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b2a28b8d-f416-4936-ae39-5c82f46c45ce\",\"w\":24,\"x\":0,\"y\":9},\"panelIndex\":\"b2a28b8d-f416-4936-ae39-5c82f46c45ce\",\"title\":\"Distribution of Event Report by Action [Logs LastPass]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-33dc8d67-cb28-43ef-8cd2-277e6a68feef\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"33dc8d67-cb28-43ef-8cd2-277e6a68feef\":{\"columnOrder\":[\"89bed09b-f42e-4c42-b73a-e505b9423c5f\",\"dd09fb63-c080-4122-beb5-54564cacc839\"],\"columns\":{\"89bed09b-f42e-4c42-b73a-e505b9423c5f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Event Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dd09fb63-c080-4122-beb5-54564cacc839\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"dd09fb63-c080-4122-beb5-54564cacc839\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.event_report\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.event_report\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"dd09fb63-c080-4122-beb5-54564cacc839\"],\"layerId\":\"33dc8d67-cb28-43ef-8cd2-277e6a68feef\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"89bed09b-f42e-4c42-b73a-e505b9423c5f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3cd755a-0227-48d3-b89c-ae715132024f\",\"w\":24,\"x\":24,\"y\":9},\"panelIndex\":\"f3cd755a-0227-48d3-b89c-ae715132024f\",\"title\":\"Distribution of Event Report by Event Type [Logs LastPass]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs LastPass] Event Report", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "lastpass-45d2e670-244b-11ed-80ca-25e921dc7ac2", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aff5a2ba-4ab4-4b85-93ac-716b90c7a01a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aff5a2ba-4ab4-4b85-93ac-716b90c7a01a:indexpattern-datasource-layer-8700085c-cade-4c46-98ff-1c9f5a8c4b80", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aff5a2ba-4ab4-4b85-93ac-716b90c7a01a:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aff5a2ba-4ab4-4b85-93ac-716b90c7a01a:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "70c747c4-8342-49fe-a5fe-6273c4fcbef6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "70c747c4-8342-49fe-a5fe-6273c4fcbef6:indexpattern-datasource-layer-8700085c-cade-4c46-98ff-1c9f5a8c4b80", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "70c747c4-8342-49fe-a5fe-6273c4fcbef6:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "70c747c4-8342-49fe-a5fe-6273c4fcbef6:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3226548a-7d30-43be-a4af-f4d0c259bd01:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3226548a-7d30-43be-a4af-f4d0c259bd01:indexpattern-datasource-layer-8700085c-cade-4c46-98ff-1c9f5a8c4b80", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3226548a-7d30-43be-a4af-f4d0c259bd01:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3226548a-7d30-43be-a4af-f4d0c259bd01:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b2a28b8d-f416-4936-ae39-5c82f46c45ce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b2a28b8d-f416-4936-ae39-5c82f46c45ce:indexpattern-datasource-layer-c1bc44b1-ff39-483b-bf69-c0cd1a922960", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b2a28b8d-f416-4936-ae39-5c82f46c45ce:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3cd755a-0227-48d3-b89c-ae715132024f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3cd755a-0227-48d3-b89c-ae715132024f:indexpattern-datasource-layer-33dc8d67-cb28-43ef-8cd2-277e6a68feef", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3cd755a-0227-48d3-b89c-ae715132024f:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/lastpass/0.1.0/kibana/dashboard/lastpass-975ecef0-2450-11ed-80ca-25e921dc7ac2.json b/packages/lastpass/0.1.0/kibana/dashboard/lastpass-975ecef0-2450-11ed-80ca-25e921dc7ac2.json deleted file mode 100755 index e6bfb885fa..0000000000 --- a/packages/lastpass/0.1.0/kibana/dashboard/lastpass-975ecef0-2450-11ed-80ca-25e921dc7ac2.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "attributes": { - "description": "Overview of LastPass Detailed Shared Folder.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.detailed_shared_folder\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.detailed_shared_folder\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b695dcf9-338b-42ca-907d-2cc3379a899d\":{\"columnOrder\":[\"392a6c77-53d1-48b8-8871-a8490b707555\"],\"columns\":{\"392a6c77-53d1-48b8-8871-a8490b707555\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Users\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.email\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.detailed_shared_folder\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.detailed_shared_folder\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"392a6c77-53d1-48b8-8871-a8490b707555\",\"layerId\":\"b695dcf9-338b-42ca-907d-2cc3379a899d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"af5b6742-fd04-4943-8cce-1587ec151551\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"af5b6742-fd04-4943-8cce-1587ec151551\",\"title\":\"Number of Users [Logs Detailed Shared Folder]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b695dcf9-338b-42ca-907d-2cc3379a899d\":{\"columnOrder\":[\"392a6c77-53d1-48b8-8871-a8490b707555\"],\"columns\":{\"392a6c77-53d1-48b8-8871-a8490b707555\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Deleted Shared Folder\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.email\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.detailed_shared_folder\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.detailed_shared_folder\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"lastpass.detailed_shared_folder.deleted\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"lastpass.detailed_shared_folder.deleted\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"392a6c77-53d1-48b8-8871-a8490b707555\",\"layerId\":\"b695dcf9-338b-42ca-907d-2cc3379a899d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"6d9a5ba5-e0c3-46e5-9c07-af104770017e\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"6d9a5ba5-e0c3-46e5-9c07-af104770017e\",\"title\":\"Number of Deleted Shared Folder [Logs Detailed Shared Folder]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b695dcf9-338b-42ca-907d-2cc3379a899d\":{\"columnOrder\":[\"392a6c77-53d1-48b8-8871-a8490b707555\"],\"columns\":{\"392a6c77-53d1-48b8-8871-a8490b707555\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Read Only Permission\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.email\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.detailed_shared_folder\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.detailed_shared_folder\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"lastpass.detailed_shared_folder.user.read_only\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"lastpass.detailed_shared_folder.user.read_only\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"392a6c77-53d1-48b8-8871-a8490b707555\",\"layerId\":\"b695dcf9-338b-42ca-907d-2cc3379a899d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"0e218901-936e-45b9-ab32-94e595832523\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"0e218901-936e-45b9-ab32-94e595832523\",\"title\":\"Number of Read Only Permission [Logs Detailed Shared Folder]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b695dcf9-338b-42ca-907d-2cc3379a899d\":{\"columnOrder\":[\"392a6c77-53d1-48b8-8871-a8490b707555\"],\"columns\":{\"392a6c77-53d1-48b8-8871-a8490b707555\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Administer Role Users\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.email\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.detailed_shared_folder\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.detailed_shared_folder\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"lastpass.detailed_shared_folder.user.can_administer\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"lastpass.detailed_shared_folder.user.can_administer\":true}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"lastpass.detailed_shared_folder.deleted\",\"negate\":false,\"params\":{\"query\":false},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"lastpass.detailed_shared_folder.deleted\":false}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"392a6c77-53d1-48b8-8871-a8490b707555\",\"layerId\":\"b695dcf9-338b-42ca-907d-2cc3379a899d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"173ea291-2f69-4afa-8e13-b02121b203d6\",\"w\":16,\"x\":0,\"y\":13},\"panelIndex\":\"173ea291-2f69-4afa-8e13-b02121b203d6\",\"title\":\"Number of Administer Role Users [Logs Detailed Shared Folder]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b695dcf9-338b-42ca-907d-2cc3379a899d\":{\"columnOrder\":[\"392a6c77-53d1-48b8-8871-a8490b707555\"],\"columns\":{\"392a6c77-53d1-48b8-8871-a8490b707555\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Shared Folder\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"lastpass.detailed_shared_folder.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.detailed_shared_folder\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.detailed_shared_folder\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"392a6c77-53d1-48b8-8871-a8490b707555\",\"layerId\":\"b695dcf9-338b-42ca-907d-2cc3379a899d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"11274245-5591-4af1-b4a0-c58141b89aad\",\"w\":16,\"x\":16,\"y\":13},\"panelIndex\":\"11274245-5591-4af1-b4a0-c58141b89aad\",\"title\":\"Number of Shared Folder [Logs Detailed Shared Folder]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-150fdf93-48de-42b0-9bbc-487d658a42b5\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"150fdf93-48de-42b0-9bbc-487d658a42b5\":{\"columnOrder\":[\"0e705885-ca94-4d90-beed-dabe7d61abbe\",\"033759f7-70c7-4949-b4e1-30a016f83a39\"],\"columns\":{\"033759f7-70c7-4949-b4e1-30a016f83a39\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Score\",\"operationType\":\"max\",\"scale\":\"ratio\",\"sourceField\":\"lastpass.detailed_shared_folder.score\"},\"0e705885-ca94-4d90-beed-dabe7d61abbe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Shared Folder Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"033759f7-70c7-4949-b4e1-30a016f83a39\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"lastpass.detailed_shared_folder.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.detailed_shared_folder\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.detailed_shared_folder\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"0e705885-ca94-4d90-beed-dabe7d61abbe\",\"isTransposed\":false},{\"columnId\":\"033759f7-70c7-4949-b4e1-30a016f83a39\",\"isTransposed\":false}],\"layerId\":\"150fdf93-48de-42b0-9bbc-487d658a42b5\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"ebf5d99a-ae99-4930-a892-736529f5e56f\",\"w\":16,\"x\":32,\"y\":13},\"panelIndex\":\"ebf5d99a-ae99-4930-a892-736529f5e56f\",\"title\":\"Top 10 Shared Folder Score [Logs Detailed Shared Folder]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"3c7be8b6-83fb-4e0e-8927-9696c65585f0\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"3c7be8b6-83fb-4e0e-8927-9696c65585f0\",\"panelRefName\":\"panel_3c7be8b6-83fb-4e0e-8927-9696c65585f0\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs LastPass] Detailed Shared Folder", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "lastpass-975ecef0-2450-11ed-80ca-25e921dc7ac2", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "af5b6742-fd04-4943-8cce-1587ec151551:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "af5b6742-fd04-4943-8cce-1587ec151551:indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "af5b6742-fd04-4943-8cce-1587ec151551:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d9a5ba5-e0c3-46e5-9c07-af104770017e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d9a5ba5-e0c3-46e5-9c07-af104770017e:indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d9a5ba5-e0c3-46e5-9c07-af104770017e:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d9a5ba5-e0c3-46e5-9c07-af104770017e:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0e218901-936e-45b9-ab32-94e595832523:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0e218901-936e-45b9-ab32-94e595832523:indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0e218901-936e-45b9-ab32-94e595832523:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0e218901-936e-45b9-ab32-94e595832523:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "173ea291-2f69-4afa-8e13-b02121b203d6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "173ea291-2f69-4afa-8e13-b02121b203d6:indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "173ea291-2f69-4afa-8e13-b02121b203d6:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "173ea291-2f69-4afa-8e13-b02121b203d6:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "173ea291-2f69-4afa-8e13-b02121b203d6:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "11274245-5591-4af1-b4a0-c58141b89aad:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "11274245-5591-4af1-b4a0-c58141b89aad:indexpattern-datasource-layer-b695dcf9-338b-42ca-907d-2cc3379a899d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "11274245-5591-4af1-b4a0-c58141b89aad:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ebf5d99a-ae99-4930-a892-736529f5e56f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ebf5d99a-ae99-4930-a892-736529f5e56f:indexpattern-datasource-layer-150fdf93-48de-42b0-9bbc-487d658a42b5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ebf5d99a-ae99-4930-a892-736529f5e56f:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "lastpass-df784f50-2454-11ed-80ca-25e921dc7ac2", - "name": "3c7be8b6-83fb-4e0e-8927-9696c65585f0:panel_3c7be8b6-83fb-4e0e-8927-9696c65585f0", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/lastpass/0.1.0/kibana/dashboard/lastpass-fa6ad220-2458-11ed-80ca-25e921dc7ac2.json b/packages/lastpass/0.1.0/kibana/dashboard/lastpass-fa6ad220-2458-11ed-80ca-25e921dc7ac2.json deleted file mode 100755 index 7d517dac9e..0000000000 --- a/packages/lastpass/0.1.0/kibana/dashboard/lastpass-fa6ad220-2458-11ed-80ca-25e921dc7ac2.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "Overview of LastPass User.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.user\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.user\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-58984551-363b-4c8a-9922-f04c7c8bbacc\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"58984551-363b-4c8a-9922-f04c7c8bbacc\":{\"columnOrder\":[\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\"],\"columns\":{\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Users\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.email\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.user\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.user\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\",\"layerId\":\"58984551-363b-4c8a-9922-f04c7c8bbacc\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0425fe1b-7352-4721-b0c3-a66db9f56511\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"0425fe1b-7352-4721-b0c3-a66db9f56511\",\"title\":\"Number of Users [Logs User]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-58984551-363b-4c8a-9922-f04c7c8bbacc\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"58984551-363b-4c8a-9922-f04c7c8bbacc\":{\"columnOrder\":[\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\"],\"columns\":{\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of Never Logged in Users\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.email\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.user\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.user\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"lastpass.user.never_logged_in\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"lastpass.user.never_logged_in\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\",\"layerId\":\"58984551-363b-4c8a-9922-f04c7c8bbacc\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6164fcb1-d8cb-4d93-be17-a0b326ad4a80\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"6164fcb1-d8cb-4d93-be17-a0b326ad4a80\",\"title\":\"Number of Never Logged In Users [Logs User]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-58984551-363b-4c8a-9922-f04c7c8bbacc\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"58984551-363b-4c8a-9922-f04c7c8bbacc\":{\"columnOrder\":[\"ddbef27e-042f-4b51-8cd2-36436704c98b\",\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\"],\"columns\":{\"ddbef27e-042f-4b51-8cd2-36436704c98b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"User\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.email\"},\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.email\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.user\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.user\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"lastpass.user.password_reset_required\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"lastpass.user.password_reset_required\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"ff2d09e5-b5e1-4bc8-bef8-28c4686fb1c5\",\"hidden\":true},{\"columnId\":\"ddbef27e-042f-4b51-8cd2-36436704c98b\",\"isTransposed\":false}],\"layerId\":\"58984551-363b-4c8a-9922-f04c7c8bbacc\",\"layerType\":\"data\",\"sorting\":{\"direction\":\"none\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"43c24467-2c71-4cc5-9470-ec96af09e8e9\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"43c24467-2c71-4cc5-9470-ec96af09e8e9\",\"title\":\"List of Users Requiring Password Reset [Logs User]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"21105a19-b880-4e29-9a7e-a9f2a6793e22\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"21105a19-b880-4e29-9a7e-a9f2a6793e22\",\"panelRefName\":\"panel_21105a19-b880-4e29-9a7e-a9f2a6793e22\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6d028067-e6da-4e7e-97f7-9c58a463d72e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6d028067-e6da-4e7e-97f7-9c58a463d72e\":{\"columnOrder\":[\"323776e5-2a3b-4788-b814-22295a3392db\",\"7f9b81a4-5af2-4acb-98c4-60b9ed14867c\"],\"columns\":{\"323776e5-2a3b-4788-b814-22295a3392db\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7f9b81a4-5af2-4acb-98c4-60b9ed14867c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.email\"},\"7f9b81a4-5af2-4acb-98c4-60b9ed14867c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Score\",\"operationType\":\"max\",\"scale\":\"ratio\",\"sourceField\":\"lastpass.user.total_score\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.user\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.user\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"323776e5-2a3b-4788-b814-22295a3392db\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"7f9b81a4-5af2-4acb-98c4-60b9ed14867c\",\"isTransposed\":false}],\"layerId\":\"6d028067-e6da-4e7e-97f7-9c58a463d72e\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"136a8a89-21fc-4d86-9cff-7a48820ae761\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"136a8a89-21fc-4d86-9cff-7a48820ae761\",\"title\":\"Top 10 Users Total Score [Logs User]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6d028067-e6da-4e7e-97f7-9c58a463d72e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6d028067-e6da-4e7e-97f7-9c58a463d72e\":{\"columnOrder\":[\"d36eae66-4284-49b5-9c26-2ec5fee5e413\",\"653a8190-9d66-403f-8898-e394ee4cb703\"],\"columns\":{\"653a8190-9d66-403f-8898-e394ee4cb703\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"User Email\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.email\"},\"d36eae66-4284-49b5-9c26-2ec5fee5e413\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Password Strength\",\"operationType\":\"range\",\"params\":{\"maxBars\":49.5,\"parentFormat\":{\"id\":\"range\",\"params\":{\"replaceInfinity\":true,\"template\":\"arrow_right\"}},\"ranges\":[{\"from\":0,\"label\":\"Week Password\",\"to\":25},{\"from\":25,\"label\":\"Good Password\",\"to\":50},{\"from\":50,\"label\":\"Very Good Password\",\"to\":75},{\"from\":75,\"label\":\"Strong Password\",\"to\":100}],\"type\":\"range\"},\"scale\":\"ordinal\",\"sourceField\":\"lastpass.user.master_password_strength\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.user\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.user\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d36eae66-4284-49b5-9c26-2ec5fee5e413\"],\"layerId\":\"6d028067-e6da-4e7e-97f7-9c58a463d72e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"653a8190-9d66-403f-8898-e394ee4cb703\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"truncateLegend\":false}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9d1ecb6d-1681-4166-ab86-8616a64ecfbb\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"9d1ecb6d-1681-4166-ab86-8616a64ecfbb\",\"title\":\"Distribution of User by Password Strength [Logs User]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs LastPass] User", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "lastpass-fa6ad220-2458-11ed-80ca-25e921dc7ac2", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0425fe1b-7352-4721-b0c3-a66db9f56511:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0425fe1b-7352-4721-b0c3-a66db9f56511:indexpattern-datasource-layer-58984551-363b-4c8a-9922-f04c7c8bbacc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0425fe1b-7352-4721-b0c3-a66db9f56511:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6164fcb1-d8cb-4d93-be17-a0b326ad4a80:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6164fcb1-d8cb-4d93-be17-a0b326ad4a80:indexpattern-datasource-layer-58984551-363b-4c8a-9922-f04c7c8bbacc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6164fcb1-d8cb-4d93-be17-a0b326ad4a80:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6164fcb1-d8cb-4d93-be17-a0b326ad4a80:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "43c24467-2c71-4cc5-9470-ec96af09e8e9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "43c24467-2c71-4cc5-9470-ec96af09e8e9:indexpattern-datasource-layer-58984551-363b-4c8a-9922-f04c7c8bbacc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "43c24467-2c71-4cc5-9470-ec96af09e8e9:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "43c24467-2c71-4cc5-9470-ec96af09e8e9:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "lastpass-d8f5da30-245e-11ed-80ca-25e921dc7ac2", - "name": "21105a19-b880-4e29-9a7e-a9f2a6793e22:panel_21105a19-b880-4e29-9a7e-a9f2a6793e22", - "type": "search" - }, - { - "id": "logs-*", - "name": "136a8a89-21fc-4d86-9cff-7a48820ae761:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "136a8a89-21fc-4d86-9cff-7a48820ae761:indexpattern-datasource-layer-6d028067-e6da-4e7e-97f7-9c58a463d72e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "136a8a89-21fc-4d86-9cff-7a48820ae761:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d1ecb6d-1681-4166-ab86-8616a64ecfbb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d1ecb6d-1681-4166-ab86-8616a64ecfbb:indexpattern-datasource-layer-6d028067-e6da-4e7e-97f7-9c58a463d72e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d1ecb6d-1681-4166-ab86-8616a64ecfbb:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/lastpass/0.1.0/kibana/search/lastpass-d8f5da30-245e-11ed-80ca-25e921dc7ac2.json b/packages/lastpass/0.1.0/kibana/search/lastpass-d8f5da30-245e-11ed-80ca-25e921dc7ac2.json deleted file mode 100755 index 3e61cb37ff..0000000000 --- a/packages/lastpass/0.1.0/kibana/search/lastpass-d8f5da30-245e-11ed-80ca-25e921dc7ac2.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "user.full_name", - "user.group.name", - "lastpass.user.last_login", - "lastpass.user.last_password_change", - "lastpass.user.password_reset_required", - "lastpass.user.never_logged_in" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.user\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.user\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Essential Details [Logs User]" - }, - "coreMigrationVersion": "7.17.0", - "id": "lastpass-d8f5da30-245e-11ed-80ca-25e921dc7ac2", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/lastpass/0.1.0/kibana/search/lastpass-df784f50-2454-11ed-80ca-25e921dc7ac2.json b/packages/lastpass/0.1.0/kibana/search/lastpass-df784f50-2454-11ed-80ca-25e921dc7ac2.json deleted file mode 100755 index 86df9284b5..0000000000 --- a/packages/lastpass/0.1.0/kibana/search/lastpass-df784f50-2454-11ed-80ca-25e921dc7ac2.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "lastpass.detailed_shared_folder.name", - "lastpass.detailed_shared_folder.shared_folder.id", - "user.email", - "lastpass.detailed_shared_folder.super_admin", - "lastpass.detailed_shared_folder.users.can_administer", - "lastpass.detailed_shared_folder.users.read_only", - "lastpass.detailed_shared_folder.users.give" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"lastpass.detailed_shared_folder\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"lastpass.detailed_shared_folder\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Detailed Shared Folder Essential Details [Logs Detailed Shared Folder]" - }, - "coreMigrationVersion": "7.17.0", - "id": "lastpass-df784f50-2454-11ed-80ca-25e921dc7ac2", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/lastpass/0.1.0/manifest.yml b/packages/lastpass/0.1.0/manifest.yml deleted file mode 100755 index c7a5ef3fc2..0000000000 --- a/packages/lastpass/0.1.0/manifest.yml +++ /dev/null @@ -1,87 +0,0 @@ -format_version: 1.0.0 -name: lastpass -title: LastPass -version: 0.1.0 -license: basic -description: Collect logs from LastPass with Elastic Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^7.17.0 || ^8.0.0 - elastic.subscription: basic -screenshots: - - src: /img/lastpass-dashboard-screenshot.png - title: LastPass Detailed Shared Folder Dashboard Screenshot - size: 600x600 - type: image/png -icons: - - src: /img/lastpass-logo.svg - title: LastPass Logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: lastpass - title: LastPass - description: Collect logs from LastPass. - inputs: - - type: httpjson - title: Collect LastPass logs via API - description: Collecting LastPass logs via API. - vars: - - name: url - type: text - title: URL - description: URL for the LastPass API. - multi: false - required: true - show_user: false - default: 'https://lastpass.com/enterpriseapi.php' - - name: account_number - type: text - title: Account number - description: LastPass account number. - required: true - - name: provisioning_hash - type: password - title: Provisioning hash - description: The API secret is also known as your provisioning hash, and is only displayed once it has been created. - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations diff --git a/packages/ping_one/0.1.0/LICENSE.txt b/packages/ping_one/0.1.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/ping_one/0.1.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/ping_one/0.1.0/changelog.yml b/packages/ping_one/0.1.0/changelog.yml deleted file mode 100755 index 11f927bf2e..0000000000 --- a/packages/ping_one/0.1.0/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: '0.1.0' - changes: - - description: Initial Release. - type: enhancement - link: https://github.com/elastic/integrations/pull/4014 diff --git a/packages/ping_one/0.1.0/data_stream/audit/agent/stream/http_endpoint.yml.hbs b/packages/ping_one/0.1.0/data_stream/audit/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index f0a651ee8f..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ping_one/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/ping_one/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 194c3b91df..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,54 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{api_path}}/v1/environments/{{environment_id}}/activities -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -auth.oauth2: - client.id: {{client_id}} - client.secret: {{client_secret}} - token_url: {{token_url}} - endpoint_params: - grant_type: client_credentials -request.transforms: - - set: - target: url.params.limit - value: '500' - - set: - target: url.params.filter - value: '[[sprintf "recordedAt gt %q AND recordedAt lt %q" (formatDate (parseDate .cursor.last_recorded_at) "2006-01-02T15:04:05.999Z") (formatDate (now) "2006-01-02T15:04:05.999Z")]]' - default: '[[sprintf "recordedAt gt %q AND recordedAt lt %q" (formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.999Z") (formatDate (now) "2006-01-02T15:04:05.999Z")]]' -response.pagination: - - set: - target: url.value - value: '[[if index .last_response.body._links "next"]][[.last_response.body._links.next.href]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_recorded_at: - value: '[[if (eq .last_response.page 1)]][[.first_event.recordedAt]][[end]]' -response.split: - target: body._embedded.activities -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ping_one/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/ping_one/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 02c18fbfb8..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,319 +0,0 @@ ---- -description: Pipeline for processing audit logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - append: - field: event.category - value: [iam] - - append: - field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('created') || ctx.json.action.type.toLowerCase().contains('deleted') || ctx.json.action.type.toLowerCase().contains('updated') || ctx.json.action.type.toLowerCase().contains('access_allowed') - value: [configuration] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('created') - value: [creation] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('deleted') - value: [deletion] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('updated') - value: [change] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('user') - value: [user] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('group') - value: [group] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('allowed') - value: [allowed] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('denied') - value: [denied] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('started') - value: [start] - - append: - field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('access_allowed') - value: [access] - - append: - field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('password.check_succeeded') - value: [authentication] - - append: - field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('email') - value: [email] - - set: - field: event.type - if: ctx.event?.type == null - value: [info] - - fingerprint: - fields: - - json.recordedAt - - json.id - target_field: _id - ignore_missing: true - - date: - field: json.createdAt - target_field: ping_one.audit.created_at - if: ctx.json?.createdAt != null && ctx.json?.createdAt != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json._embedded - target_field: ping_one.audit.embedded - ignore_missing: true - - rename: - field: json.tags - target_field: ping_one.audit.tags - ignore_missing: true - - foreach: - field: ping_one.audit.tags - processor: - append: - field: tags - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.ping_one?.audit?.tags != null && ctx.ping_one?.audit?.tags instanceof List - - rename: - field: json.id - target_field: ping_one.audit.id - ignore_missing: true - - set: - field: event.id - copy_from: ping_one.audit.id - ignore_failure: true - - date: - field: json.recordedAt - target_field: ping_one.audit.recorded_at - if: ctx.json?.recordedAt != null && ctx.json?.recordedAt != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: ping_one.audit.recorded_at - ignore_failure: true - - rename: - field: json.correlationId - target_field: ping_one.audit.correlation.id - ignore_missing: true - - rename: - field: json.actors.client.id - target_field: ping_one.audit.actors.client.id - ignore_missing: true - - set: - field: client.user.id - copy_from: ping_one.audit.actors.client.id - ignore_failure: true - - rename: - field: json.actors.client.name - target_field: ping_one.audit.actors.client.name - ignore_missing: true - - set: - field: client.user.name - copy_from: ping_one.audit.actors.client.name - ignore_failure: true - - rename: - field: json.actors.client.environment.id - target_field: ping_one.audit.actors.client.environment.id - ignore_missing: true - - rename: - field: json.actors.client.href - target_field: ping_one.audit.actors.client.href - ignore_missing: true - - rename: - field: json.actors.client.type - target_field: ping_one.audit.actors.client.type - ignore_missing: true - - append: - field: related.user - value: '{{{client.user.id}}}' - if: ctx.client?.user?.id != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{client.user.name}}}' - if: ctx.client?.user?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.actors.user.id - target_field: ping_one.audit.actors.user.id - ignore_missing: true - - set: - field: user.id - copy_from: ping_one.audit.actors.user.id - ignore_failure: true - - rename: - field: json.actors.user.name - target_field: ping_one.audit.actors.user.name - ignore_missing: true - - set: - field: user.name - copy_from: ping_one.audit.actors.user.name - ignore_failure: true - - rename: - field: json.actors.user.population.id - target_field: ping_one.audit.actors.user.population.id - ignore_missing: true - - rename: - field: json.actors.user.environment.id - target_field: ping_one.audit.actors.user.environment.id - ignore_missing: true - - rename: - field: json.actors.user.href - target_field: ping_one.audit.actors.user.href - ignore_missing: true - - rename: - field: json.actors.user.type - target_field: ping_one.audit.actors.user.type - ignore_missing: true - - append: - field: related.user - value: '{{{user.id}}}' - if: ctx.user?.id != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{user.name}}}' - if: ctx.user?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.action.type - target_field: ping_one.audit.action.type - ignore_missing: true - - set: - field: event.action - copy_from: ping_one.audit.action.type - ignore_failure: true - - lowercase: - field: event.action - ignore_missing: true - - rename: - field: json.action.description - target_field: ping_one.audit.action.description - ignore_missing: true - - foreach: - field: json.resources - processor: - uri_parts: - field: _ingest._value.href - ignore_failure: true - ignore_failure: true - if: ctx.json?.resources != null && ctx.json?.resources instanceof List - - rename: - field: json.resources - target_field: ping_one.audit.resources - ignore_missing: true - - rename: - field: json.result.id - target_field: ping_one.audit.result.id - ignore_missing: true - - rename: - field: json.result.status - target_field: ping_one.audit.result.status - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.ping_one?.audit?.result?.status == 'SUCCESS' || ctx.ping_one?.audit?.result?.status == 'succeeded' - ignore_failure: true - - set: - field: event.outcome - value: failure - if: ctx.ping_one?.audit?.result?.status == 'FAILURE' || ctx.ping_one?.audit?.result?.status == 'failed' - ignore_failure: true - - rename: - field: json.result.description - target_field: ping_one.audit.result.description - ignore_missing: true - - remove: - field: - - json - ignore_missing: true -# Remove ping_one.audit fields that are copied into an ECS field. - - foreach: - field: ping_one.audit.resources - processor: - remove: - field: _ingest._value.href - ignore_failure: true - ignore_missing: true - ignore_failure: true - if: ctx.ping_one?.audit?.resources != null && ctx.ping_one?.audit?.resources instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) - - remove: - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - field: - - ping_one.audit.recorded_at - - ping_one.audit.tags - - ping_one.audit.id - - ping_one.audit.result.status - - ping_one.audit.action.type - - ping_one.audit.actors.user.id - - ping_one.audit.actors.user.name - - ping_one.audit.actors.client.id - - ping_one.audit.actors.client.name - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/ping_one/0.1.0/data_stream/audit/fields/agent.yml b/packages/ping_one/0.1.0/data_stream/audit/fields/agent.yml deleted file mode 100755 index bb99e5f0b1..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: >- - If the host is a container. - - name: os.build - type: keyword - example: '18D109' - description: >- - OS build information. - - name: os.codename - type: keyword - example: 'stretch' - description: >- - OS codename, if any. -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/ping_one/0.1.0/data_stream/audit/fields/base-fields.yml b/packages/ping_one/0.1.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index d1715693cd..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: ping_one -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: ping_one.audit diff --git a/packages/ping_one/0.1.0/data_stream/audit/fields/ecs.yml b/packages/ping_one/0.1.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 5dd3a3bd34..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,108 +0,0 @@ -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/ping_one/0.1.0/data_stream/audit/fields/fields.yml b/packages/ping_one/0.1.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index 377b2c8837..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,122 +0,0 @@ -- name: ping_one.audit - type: group - fields: - - name: action - type: group - fields: - - name: description - type: text - description: A string that specifies the description of the action performed. - - name: type - type: keyword - description: A string that specifies the type of action performed (such as authentication or password reset). - - name: actors - type: group - fields: - - name: client - type: group - fields: - - name: environment - type: group - fields: - - name: id - type: keyword - description: A string that specifies the ID of the environment resource associated with the client. - - name: href - type: keyword - description: A string that specifies the URL for the specified client resource. - - name: id - type: keyword - description: A string that specifies the ID of the client. - - name: name - type: keyword - description: A string that specifies the name assigned to the client for PingOne sign on. - - name: type - type: keyword - description: A string that specifies the type of actor. Options are USER or CLIENT. - - name: user - type: group - fields: - - name: environment - type: group - fields: - - name: id - type: keyword - description: A string that specifies the ID of the environment resource associated with the user. - - name: href - type: keyword - description: A string that specifies the URL for the specified user resource. - - name: id - type: keyword - description: A string that specifies the ID of the user. - - name: name - type: keyword - description: A string that specifies the name assigned to the user for PingOne sign on. - - name: population - type: group - fields: - - name: id - type: keyword - description: A string that specifies the ID of the population resource associated with the user. - - name: type - type: keyword - description: A string that specifies the type of actor. Options are USER or CLIENT. - - name: correlation - type: group - fields: - - name: id - type: keyword - description: A string that specifies a PingOne identifier for multiple messages in a transaction. - - name: created_at - type: date - description: The date and time at which the event was created (ISO 8601 format). - - name: embedded - type: flattened - - name: id - type: keyword - description: A string that specifies the ID of the audit activity event. - - name: recorded_at - type: date - description: The date and time at which the event was recorded (ISO 8601 format). - - name: resources - type: group - fields: - - name: environment - type: group - fields: - - name: id - type: keyword - description: The UUID assigned as the key for the environment resource. - - name: href - type: keyword - description: A string that specifies the URL for the specified resource. - - name: id - type: keyword - description: A string that specifies the ID assigned as the key for the identifier resource (such as the environment, population or event message). - - name: name - type: keyword - description: A string that can be either the user name or the name of the environment, based on the resource type. - - name: population - type: group - fields: - - name: id - type: keyword - description: The UUID assigned as the key for the population resource. - - name: type - type: keyword - description: A string that specifies the type of resource associated with the event. Options are USER, ORGANIZATION, or ENVIRONMENT. - - name: result - type: group - fields: - - name: description - type: text - description: A string that specifies the description of the result of the operation. - - name: id - type: keyword - description: A string that specifies the ID for the result of the operation. - - name: status - type: keyword - description: A string that specifies the result of the operation. Options are succeeded or failed. - - name: tags - type: keyword - description: A string identifying the activity as the action of an administrator on other administrators. diff --git a/packages/ping_one/0.1.0/data_stream/audit/manifest.yml b/packages/ping_one/0.1.0/data_stream/audit/manifest.yml deleted file mode 100755 index 2f0bbf0450..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,119 +0,0 @@ -title: Collect Audit logs from PingOne -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Audit logs - description: Collect audit logs from PingOne via HTTP Endpoint. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number on which listener binds to. - multi: false - required: true - show_user: true - default: 9100 - - name: url - type: text - title: URL - description: This options specific which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - ping_one-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve ping_one.audit fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: httpjson - title: Audit logs - description: Collect audit logs from PingOne via REST API. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the activities from PingOne. NOTE:- Supported units for this parameter are h/m/s. (Maximum - 2 years) - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the PingOne API. NOTE:- Supported units for this parameter are h/m/s. - default: 1m - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - ping_one-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve ping_one.audit fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/ping_one/0.1.0/data_stream/audit/sample_event.json b/packages/ping_one/0.1.0/data_stream/audit/sample_event.json deleted file mode 100755 index d7748f57e4..0000000000 --- a/packages/ping_one/0.1.0/data_stream/audit/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2022-06-10T17:04:25.518Z", - "agent": { - "ephemeral_id": "3ec0008f-3b03-448a-8617-f9798d15e68d", - "hostname": "docker-fleet-agent", - "id": "8e2910ec-3bb9-439a-90a1-acedb9847388", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "id": "830109c7-f8aa-491e-b2f2-8f7532ae85e9", - "name": "RichardPatchetWorker" - } - }, - "data_stream": { - "dataset": "ping_one.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "8e2910ec-3bb9-439a-90a1-acedb9847388", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "group.created", - "agent_id_status": "verified", - "category": [ - "iam", - "configuration" - ], - "created": "2022-10-03T07:21:04.317Z", - "dataset": "ping_one.audit", - "id": "2076da4e-81ae-4cf4-803a-4ccc16419bc9", - "ingested": "2022-10-03T07:21:05Z", - "kind": "event", - "original": "{\"_links\":{\"self\":{\"href\":\"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/activities/2076da4e-81ae-4cf4-803a-4ccc16419bc9\"}},\"action\":{\"description\":\"Group Created\",\"type\":\"GROUP.CREATED\"},\"actors\":{\"client\":{\"environment\":{\"id\":\"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa\"},\"href\":\"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9\",\"id\":\"830109c7-f8aa-491e-b2f2-8f7532ae85e9\",\"name\":\"RichardPatchetWorker\",\"type\":\"CLIENT\"}},\"correlationId\":\"28b1f3ca-2ab6-4cc0-b33f-50153c7c9c14\",\"createdAt\":\"2022-06-10T17:04:25.534Z\",\"id\":\"2076da4e-81ae-4cf4-803a-4ccc16419bc9\",\"recordedAt\":\"2022-06-10T17:04:25.518Z\",\"resources\":[{\"environment\":{\"id\":\"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa\"},\"href\":\"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51\",\"id\":\"ac05e3ff-60e2-4e03-bbac-f9455e6a6d51\",\"name\":\"Managers\",\"type\":\"GROUP\"}],\"result\":{\"description\":\"Created Group Managers\",\"status\":\"SUCCESS\"}}", - "outcome": "success", - "type": [ - "creation", - "group" - ] - }, - "input": { - "type": "httpjson" - }, - "ping_one": { - "audit": { - "action": { - "description": "Group Created", - "type": "GROUP.CREATED" - }, - "actors": { - "client": { - "environment": { - "id": "bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa" - }, - "href": "https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9", - "id": "830109c7-f8aa-491e-b2f2-8f7532ae85e9", - "name": "RichardPatchetWorker", - "type": "CLIENT" - } - }, - "correlation": { - "id": "28b1f3ca-2ab6-4cc0-b33f-50153c7c9c14" - }, - "created_at": "2022-06-10T17:04:25.534Z", - "id": "2076da4e-81ae-4cf4-803a-4ccc16419bc9", - "recorded_at": "2022-06-10T17:04:25.518Z", - "resources": [ - { - "environment": { - "id": "bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa" - }, - "href": "https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51", - "id": "ac05e3ff-60e2-4e03-bbac-f9455e6a6d51", - "name": "Managers", - "type": "GROUP" - } - ], - "result": { - "description": "Created Group Managers", - "status": "SUCCESS" - } - } - }, - "related": { - "user": [ - "830109c7-f8aa-491e-b2f2-8f7532ae85e9", - "RichardPatchetWorker" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "ping_one-audit" - ], - "url": { - "domain": "api.pingone.com", - "original": "https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51", - "path": "/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51", - "scheme": "https" - } -} \ No newline at end of file diff --git a/packages/ping_one/0.1.0/docs/README.md b/packages/ping_one/0.1.0/docs/README.md deleted file mode 100755 index c8d8475889..0000000000 --- a/packages/ping_one/0.1.0/docs/README.md +++ /dev/null @@ -1,265 +0,0 @@ -# PingOne - -## Overview - -The [PingOne](https://www.pingidentity.com/en.html) integration allows you to monitor audit activity. PingOne is a cloud-based framework for secure identity access management. - -Use the PingOne integration to collect and parse data from the REST APIs or HTTP Endpoint input. Then visualize that data in Kibana. - -For example, you could use the data from this integration to know which action or activity is performed against a defined PingOne resource, and also track the actor or agent who initiated the action. - -## Data streams - -The PingOne integration collects logs for one type of event: Audit. - -**Audit** reporting stores incoming audit messages in a cache and provides endpoints for requesting audit events for a specific time period. - -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. - -This module has been tested against `PingOne API version 1.0`. - -## Setup - -### To collect data from PingOne REST APIs, follow below steps: - -1. Go to the [PingOne console](https://www.pingidentity.com/en/account/sign-on.html), select PingOne as an Account and add username and password. -2. Select Environment. -3. Go to **Connections -> Applications**. -4. Click **+** to create an application. -5. Enter an Application Name. -6. Select **Worker** as an application type. -7. Click Save. -8. Click the toggle switch to enable the application, if it is not already enabled. -9. Go to **Configuration**. -10. Copy **Token Endpoint**. -11. Copy **Environment ID**, **Client ID** and **Client Secret** from General Section. - -For more details, see [Documentation](https://docs.pingidentity.com/bundle/pingone/page/vpz1564020488577.html). - -**Note** : Value of initial interval must be less than 2 years. - -### To collect data from PingOne via HTTP Endpoint, follow below steps: - -1. Reference link for configuring [HTTP Endpoint Remote logging](https://docs.pingidentity.com/bundle/pingone/page/sxi1589922927893.html) for PingOne. -2. In Destination, enter the full URL, including the port. -`Example Format: http[s]://{AGENT_ADDRESS}:{AGENT_PORT}/{URL}`. - -**Note** : -- Select Ping Activity Format (JSON) in the format drop down. -- HTTP Endpoint Remote logging will expose the port to the internet, therefore it is advised to have proper network access configured. - -## Logs Reference - -#### audit - -This is the `audit` dataset. - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2022-06-10T17:04:25.518Z", - "agent": { - "ephemeral_id": "3ec0008f-3b03-448a-8617-f9798d15e68d", - "hostname": "docker-fleet-agent", - "id": "8e2910ec-3bb9-439a-90a1-acedb9847388", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "id": "830109c7-f8aa-491e-b2f2-8f7532ae85e9", - "name": "RichardPatchetWorker" - } - }, - "data_stream": { - "dataset": "ping_one.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "8e2910ec-3bb9-439a-90a1-acedb9847388", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "group.created", - "agent_id_status": "verified", - "category": [ - "iam", - "configuration" - ], - "created": "2022-10-03T07:21:04.317Z", - "dataset": "ping_one.audit", - "id": "2076da4e-81ae-4cf4-803a-4ccc16419bc9", - "ingested": "2022-10-03T07:21:05Z", - "kind": "event", - "original": "{\"_links\":{\"self\":{\"href\":\"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/activities/2076da4e-81ae-4cf4-803a-4ccc16419bc9\"}},\"action\":{\"description\":\"Group Created\",\"type\":\"GROUP.CREATED\"},\"actors\":{\"client\":{\"environment\":{\"id\":\"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa\"},\"href\":\"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9\",\"id\":\"830109c7-f8aa-491e-b2f2-8f7532ae85e9\",\"name\":\"RichardPatchetWorker\",\"type\":\"CLIENT\"}},\"correlationId\":\"28b1f3ca-2ab6-4cc0-b33f-50153c7c9c14\",\"createdAt\":\"2022-06-10T17:04:25.534Z\",\"id\":\"2076da4e-81ae-4cf4-803a-4ccc16419bc9\",\"recordedAt\":\"2022-06-10T17:04:25.518Z\",\"resources\":[{\"environment\":{\"id\":\"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa\"},\"href\":\"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51\",\"id\":\"ac05e3ff-60e2-4e03-bbac-f9455e6a6d51\",\"name\":\"Managers\",\"type\":\"GROUP\"}],\"result\":{\"description\":\"Created Group Managers\",\"status\":\"SUCCESS\"}}", - "outcome": "success", - "type": [ - "creation", - "group" - ] - }, - "input": { - "type": "httpjson" - }, - "ping_one": { - "audit": { - "action": { - "description": "Group Created", - "type": "GROUP.CREATED" - }, - "actors": { - "client": { - "environment": { - "id": "bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa" - }, - "href": "https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9", - "id": "830109c7-f8aa-491e-b2f2-8f7532ae85e9", - "name": "RichardPatchetWorker", - "type": "CLIENT" - } - }, - "correlation": { - "id": "28b1f3ca-2ab6-4cc0-b33f-50153c7c9c14" - }, - "created_at": "2022-06-10T17:04:25.534Z", - "id": "2076da4e-81ae-4cf4-803a-4ccc16419bc9", - "recorded_at": "2022-06-10T17:04:25.518Z", - "resources": [ - { - "environment": { - "id": "bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa" - }, - "href": "https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51", - "id": "ac05e3ff-60e2-4e03-bbac-f9455e6a6d51", - "name": "Managers", - "type": "GROUP" - } - ], - "result": { - "description": "Created Group Managers", - "status": "SUCCESS" - } - } - }, - "related": { - "user": [ - "830109c7-f8aa-491e-b2f2-8f7532ae85e9", - "RichardPatchetWorker" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "ping_one-audit" - ], - "url": { - "domain": "api.pingone.com", - "original": "https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51", - "path": "/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51", - "scheme": "https" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.id | Unique identifier of the user. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| ping_one.audit.action.description | A string that specifies the description of the action performed. | text | -| ping_one.audit.action.type | A string that specifies the type of action performed (such as authentication or password reset). | keyword | -| ping_one.audit.actors.client.environment.id | A string that specifies the ID of the environment resource associated with the client. | keyword | -| ping_one.audit.actors.client.href | A string that specifies the URL for the specified client resource. | keyword | -| ping_one.audit.actors.client.id | A string that specifies the ID of the client. | keyword | -| ping_one.audit.actors.client.name | A string that specifies the name assigned to the client for PingOne sign on. | keyword | -| ping_one.audit.actors.client.type | A string that specifies the type of actor. Options are USER or CLIENT. | keyword | -| ping_one.audit.actors.user.environment.id | A string that specifies the ID of the environment resource associated with the user. | keyword | -| ping_one.audit.actors.user.href | A string that specifies the URL for the specified user resource. | keyword | -| ping_one.audit.actors.user.id | A string that specifies the ID of the user. | keyword | -| ping_one.audit.actors.user.name | A string that specifies the name assigned to the user for PingOne sign on. | keyword | -| ping_one.audit.actors.user.population.id | A string that specifies the ID of the population resource associated with the user. | keyword | -| ping_one.audit.actors.user.type | A string that specifies the type of actor. Options are USER or CLIENT. | keyword | -| ping_one.audit.correlation.id | A string that specifies a PingOne identifier for multiple messages in a transaction. | keyword | -| ping_one.audit.created_at | The date and time at which the event was created (ISO 8601 format). | date | -| ping_one.audit.embedded | | flattened | -| ping_one.audit.id | A string that specifies the ID of the audit activity event. | keyword | -| ping_one.audit.recorded_at | The date and time at which the event was recorded (ISO 8601 format). | date | -| ping_one.audit.resources.environment.id | The UUID assigned as the key for the environment resource. | keyword | -| ping_one.audit.resources.href | A string that specifies the URL for the specified resource. | keyword | -| ping_one.audit.resources.id | A string that specifies the ID assigned as the key for the identifier resource (such as the environment, population or event message). | keyword | -| ping_one.audit.resources.name | A string that can be either the user name or the name of the environment, based on the resource type. | keyword | -| ping_one.audit.resources.population.id | The UUID assigned as the key for the population resource. | keyword | -| ping_one.audit.resources.type | A string that specifies the type of resource associated with the event. Options are USER, ORGANIZATION, or ENVIRONMENT. | keyword | -| ping_one.audit.result.description | A string that specifies the description of the result of the operation. | text | -| ping_one.audit.result.id | A string that specifies the ID for the result of the operation. | keyword | -| ping_one.audit.result.status | A string that specifies the result of the operation. Options are succeeded or failed. | keyword | -| ping_one.audit.tags | A string identifying the activity as the action of an administrator on other administrators. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/ping_one/0.1.0/img/ping-one-dashboard.png b/packages/ping_one/0.1.0/img/ping-one-dashboard.png deleted file mode 100755 index 8412a44992..0000000000 Binary files a/packages/ping_one/0.1.0/img/ping-one-dashboard.png and /dev/null differ diff --git a/packages/ping_one/0.1.0/img/ping-one-logo.svg b/packages/ping_one/0.1.0/img/ping-one-logo.svg deleted file mode 100755 index 3b973fb01e..0000000000 --- a/packages/ping_one/0.1.0/img/ping-one-logo.svg +++ /dev/null @@ -1,45 +0,0 @@ - - - - - - - - - - - - - - - - - diff --git a/packages/ping_one/0.1.0/kibana/dashboard/ping_one-60aa0020-0ea5-11ed-9b69-fdafbf89c645.json b/packages/ping_one/0.1.0/kibana/dashboard/ping_one-60aa0020-0ea5-11ed-9b69-fdafbf89c645.json deleted file mode 100755 index 01b2e13ce5..0000000000 --- a/packages/ping_one/0.1.0/kibana/dashboard/ping_one-60aa0020-0ea5-11ed-9b69-fdafbf89c645.json +++ /dev/null @@ -1,187 +0,0 @@ -{ - "attributes": { - "description": "PingOne Audit Events Overview.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-51ce7ced-ecbe-47d8-b44c-29280edd4930\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"51ce7ced-ecbe-47d8-b44c-29280edd4930\":{\"columnOrder\":[\"df05d0b2-cc00-4985-9cea-d7867eaf26ec\"],\"columns\":{\"df05d0b2-cc00-4985-9cea-d7867eaf26ec\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed Login Attempts\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"password.check_failed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"password.check_failed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"df05d0b2-cc00-4985-9cea-d7867eaf26ec\",\"layerId\":\"51ce7ced-ecbe-47d8-b44c-29280edd4930\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b171dc30-7696-4a0b-b139-c39c3510e7e4\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"b171dc30-7696-4a0b-b139-c39c3510e7e4\",\"title\":\"Failed Login Attempts by User [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-78678de6-0476-4e1f-a596-0c2fa3a93338\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"78678de6-0476-4e1f-a596-0c2fa3a93338\":{\"columnOrder\":[\"c0a9f92a-025d-4a62-9640-caff91c11e80\"],\"columns\":{\"c0a9f92a-025d-4a62-9640-caff91c11e80\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Successful Login Attempts\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"password.check_succeeded\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"password.check_succeeded\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"c0a9f92a-025d-4a62-9640-caff91c11e80\",\"layerId\":\"78678de6-0476-4e1f-a596-0c2fa3a93338\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"541cb763-c836-415e-a9af-789de24f8260\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"541cb763-c836-415e-a9af-789de24f8260\",\"title\":\"Successful Login Attempts by User [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4be2a49d-b64e-4a7c-9b66-c5473cb008a7\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4be2a49d-b64e-4a7c-9b66-c5473cb008a7\":{\"columnOrder\":[\"eef64b8a-9115-4a5f-ba6b-847b58222d62\",\"1eeab1c9-dfa6-47a2-b810-cf6a8370a0d9\"],\"columns\":{\"1eeab1c9-dfa6-47a2-b810-cf6a8370a0d9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"eef64b8a-9115-4a5f-ba6b-847b58222d62\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action Performed\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1eeab1c9-dfa6-47a2-b810-cf6a8370a0d9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"1eeab1c9-dfa6-47a2-b810-cf6a8370a0d9\"],\"layerId\":\"4be2a49d-b64e-4a7c-9b66-c5473cb008a7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"xAccessor\":\"eef64b8a-9115-4a5f-ba6b-847b58222d62\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f366cdb3-abe6-422f-bb1e-3e9903fc4214\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"f366cdb3-abe6-422f-bb1e-3e9903fc4214\",\"title\":\"Distribution of Audit Events by Action Performed [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e5c62b90-3b50-4521-b278-7fa0efcfdd07\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e5c62b90-3b50-4521-b278-7fa0efcfdd07\":{\"columnOrder\":[\"45a4dd7b-656b-451b-8bc5-728a4be9f6f8\",\"908f117c-5c96-43c9-aadb-1193f5f90c0b\"],\"columns\":{\"45a4dd7b-656b-451b-8bc5-728a4be9f6f8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Resource Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"908f117c-5c96-43c9-aadb-1193f5f90c0b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"ping_one.audit.resources.type\"},\"908f117c-5c96-43c9-aadb-1193f5f90c0b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45a4dd7b-656b-451b-8bc5-728a4be9f6f8\"],\"layerId\":\"e5c62b90-3b50-4521-b278-7fa0efcfdd07\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"908f117c-5c96-43c9-aadb-1193f5f90c0b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2d4a493a-2f5b-4d20-92b9-8d26f69a7c15\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"2d4a493a-2f5b-4d20-92b9-8d26f69a7c15\",\"title\":\"Distribution of Audit Events by Resource Type [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b92cb753-e544-4b06-af94-2a33f1626918\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b92cb753-e544-4b06-af94-2a33f1626918\":{\"columnOrder\":[\"79efd644-cd0f-40b0-b6c9-9e92840b5f7e\",\"05082aee-c5b2-4e19-b30a-8736a5ec9ca5\"],\"columns\":{\"05082aee-c5b2-4e19-b30a-8736a5ec9ca5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"79efd644-cd0f-40b0-b6c9-9e92840b5f7e\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"User Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"05082aee-c5b2-4e19-b30a-8736a5ec9ca5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"ping_one.audit.actors.user.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"79efd644-cd0f-40b0-b6c9-9e92840b5f7e\"],\"layerId\":\"b92cb753-e544-4b06-af94-2a33f1626918\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"05082aee-c5b2-4e19-b30a-8736a5ec9ca5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d670c1b4-16d8-418d-8ae4-a989d2621756\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d670c1b4-16d8-418d-8ae4-a989d2621756\",\"title\":\"Distribution of Audit Events by User Type [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b550c5b-75eb-45f6-b930-8f68ebfc9f92\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b550c5b-75eb-45f6-b930-8f68ebfc9f92\":{\"columnOrder\":[\"ee6e8d51-01bb-481e-934f-920a14b68991\",\"302619f7-a5f4-433e-bdbc-9ee9b712c0ad\"],\"columns\":{\"302619f7-a5f4-433e-bdbc-9ee9b712c0ad\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"ee6e8d51-01bb-481e-934f-920a14b68991\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Result Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"302619f7-a5f4-433e-bdbc-9ee9b712c0ad\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ee6e8d51-01bb-481e-934f-920a14b68991\"],\"layerId\":\"3b550c5b-75eb-45f6-b930-8f68ebfc9f92\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"302619f7-a5f4-433e-bdbc-9ee9b712c0ad\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"050483a1-63f0-421e-bb38-fc75080f0598\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"050483a1-63f0-421e-bb38-fc75080f0598\",\"title\":\"Distribution of Audit Events by Result Status [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3c375199-0e31-42bf-8cb8-407de34be3a5\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3c375199-0e31-42bf-8cb8-407de34be3a5\":{\"columnOrder\":[\"e2bc6927-cc94-467a-b2a2-e1534175d8fe\",\"c984d344-e5a1-49be-8168-542b51e55362\"],\"columns\":{\"c984d344-e5a1-49be-8168-542b51e55362\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e2bc6927-cc94-467a-b2a2-e1534175d8fe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Resource Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c984d344-e5a1-49be-8168-542b51e55362\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"ping_one.audit.resources.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"e2bc6927-cc94-467a-b2a2-e1534175d8fe\",\"isTransposed\":false},{\"columnId\":\"c984d344-e5a1-49be-8168-542b51e55362\",\"isTransposed\":false}],\"layerId\":\"3c375199-0e31-42bf-8cb8-407de34be3a5\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f8fb919d-6f85-4bd0-98ab-b74fdcceff7a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f8fb919d-6f85-4bd0-98ab-b74fdcceff7a\",\"title\":\"Top 10 Resource Name [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8373d580-15e8-486d-87c8-b8316290e584\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8373d580-15e8-486d-87c8-b8316290e584\":{\"columnOrder\":[\"c83a0599-364b-4110-8c86-f7753f1c1602\",\"b7b3f784-7a3e-4c86-908a-d8d4e98df94c\"],\"columns\":{\"b7b3f784-7a3e-4c86-908a-d8d4e98df94c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c83a0599-364b-4110-8c86-f7753f1c1602\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b3f784-7a3e-4c86-908a-d8d4e98df94c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"ping_one.audit.actors.client.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c83a0599-364b-4110-8c86-f7753f1c1602\"],\"layerId\":\"8373d580-15e8-486d-87c8-b8316290e584\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b7b3f784-7a3e-4c86-908a-d8d4e98df94c\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bd14c8b1-fe2b-42e6-b7f6-e04826a91062\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"bd14c8b1-fe2b-42e6-b7f6-e04826a91062\",\"title\":\"Distribution of Audit Events by Client Type [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a02e2ffa-5b05-4499-8676-4d25366a4570\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a02e2ffa-5b05-4499-8676-4d25366a4570\":{\"columnOrder\":[\"a3c48187-4df4-4cfc-be29-856f28aae21b\",\"b1c2327d-0dbf-425f-a17e-408011ab6995\"],\"columns\":{\"a3c48187-4df4-4cfc-be29-856f28aae21b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"User Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b1c2327d-0dbf-425f-a17e-408011ab6995\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"b1c2327d-0dbf-425f-a17e-408011ab6995\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"a3c48187-4df4-4cfc-be29-856f28aae21b\",\"isTransposed\":false},{\"columnId\":\"b1c2327d-0dbf-425f-a17e-408011ab6995\",\"isTransposed\":false}],\"layerId\":\"a02e2ffa-5b05-4499-8676-4d25366a4570\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"457c49dc-7f3d-4525-aab6-80d269e9a190\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"457c49dc-7f3d-4525-aab6-80d269e9a190\",\"title\":\"Top 10 User Name [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-209f4e8b-cfa2-4c15-89b7-c375645a5404\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"209f4e8b-cfa2-4c15-89b7-c375645a5404\":{\"columnOrder\":[\"b85ce940-4959-4e3b-bfad-b34c3a9753fd\",\"9c2bfaf0-7174-42d8-a6d3-80b553da60f5\"],\"columns\":{\"9c2bfaf0-7174-42d8-a6d3-80b553da60f5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b85ce940-4959-4e3b-bfad-b34c3a9753fd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9c2bfaf0-7174-42d8-a6d3-80b553da60f5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"client.user.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ping_one.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ping_one.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b85ce940-4959-4e3b-bfad-b34c3a9753fd\"},{\"columnId\":\"9c2bfaf0-7174-42d8-a6d3-80b553da60f5\"}],\"layerId\":\"209f4e8b-cfa2-4c15-89b7-c375645a5404\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a39acafa-15cb-485d-8048-491c3ce28fff\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a39acafa-15cb-485d-8048-491c3ce28fff\",\"title\":\"Top 10 Client Name [Logs PingOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs PingOne] Audit Events", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "ping_one-60aa0020-0ea5-11ed-9b69-fdafbf89c645", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b171dc30-7696-4a0b-b139-c39c3510e7e4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b171dc30-7696-4a0b-b139-c39c3510e7e4:indexpattern-datasource-layer-51ce7ced-ecbe-47d8-b44c-29280edd4930", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b171dc30-7696-4a0b-b139-c39c3510e7e4:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b171dc30-7696-4a0b-b139-c39c3510e7e4:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "541cb763-c836-415e-a9af-789de24f8260:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "541cb763-c836-415e-a9af-789de24f8260:indexpattern-datasource-layer-78678de6-0476-4e1f-a596-0c2fa3a93338", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "541cb763-c836-415e-a9af-789de24f8260:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "541cb763-c836-415e-a9af-789de24f8260:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f366cdb3-abe6-422f-bb1e-3e9903fc4214:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f366cdb3-abe6-422f-bb1e-3e9903fc4214:indexpattern-datasource-layer-4be2a49d-b64e-4a7c-9b66-c5473cb008a7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f366cdb3-abe6-422f-bb1e-3e9903fc4214:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2d4a493a-2f5b-4d20-92b9-8d26f69a7c15:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2d4a493a-2f5b-4d20-92b9-8d26f69a7c15:indexpattern-datasource-layer-e5c62b90-3b50-4521-b278-7fa0efcfdd07", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2d4a493a-2f5b-4d20-92b9-8d26f69a7c15:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d670c1b4-16d8-418d-8ae4-a989d2621756:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d670c1b4-16d8-418d-8ae4-a989d2621756:indexpattern-datasource-layer-b92cb753-e544-4b06-af94-2a33f1626918", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d670c1b4-16d8-418d-8ae4-a989d2621756:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "050483a1-63f0-421e-bb38-fc75080f0598:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "050483a1-63f0-421e-bb38-fc75080f0598:indexpattern-datasource-layer-3b550c5b-75eb-45f6-b930-8f68ebfc9f92", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "050483a1-63f0-421e-bb38-fc75080f0598:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8fb919d-6f85-4bd0-98ab-b74fdcceff7a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8fb919d-6f85-4bd0-98ab-b74fdcceff7a:indexpattern-datasource-layer-3c375199-0e31-42bf-8cb8-407de34be3a5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8fb919d-6f85-4bd0-98ab-b74fdcceff7a:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bd14c8b1-fe2b-42e6-b7f6-e04826a91062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bd14c8b1-fe2b-42e6-b7f6-e04826a91062:indexpattern-datasource-layer-8373d580-15e8-486d-87c8-b8316290e584", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bd14c8b1-fe2b-42e6-b7f6-e04826a91062:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "457c49dc-7f3d-4525-aab6-80d269e9a190:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "457c49dc-7f3d-4525-aab6-80d269e9a190:indexpattern-datasource-layer-a02e2ffa-5b05-4499-8676-4d25366a4570", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "457c49dc-7f3d-4525-aab6-80d269e9a190:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a39acafa-15cb-485d-8048-491c3ce28fff:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a39acafa-15cb-485d-8048-491c3ce28fff:indexpattern-datasource-layer-209f4e8b-cfa2-4c15-89b7-c375645a5404", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a39acafa-15cb-485d-8048-491c3ce28fff:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ping_one/0.1.0/manifest.yml b/packages/ping_one/0.1.0/manifest.yml deleted file mode 100755 index a2b96748dc..0000000000 --- a/packages/ping_one/0.1.0/manifest.yml +++ /dev/null @@ -1,146 +0,0 @@ -format_version: 1.0.0 -name: ping_one -title: PingOne -version: 0.1.0 -license: basic -description: Collect logs from PingOne with Elastic-Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/ping-one-dashboard.png - title: PingOne Audit Dashboard Screenshot - size: 600x600 - type: image/png -icons: - - src: /img/ping-one-logo.svg - title: PingOne logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: ping_one - title: PingOne - description: Collect logs from PingOne. - inputs: - - type: http_endpoint - title: Collect PingOne logs via HTTP Endpoint - description: Collecting PingOne logs via HTTP Endpoint. - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for http endpoint connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - name: secret_header - type: text - title: Secret Header - description: The header to check for a specific value specified by `secret.value`. - required: false - show_user: false - - name: secret_value - type: password - title: Secret Value - description: The secret stored in the header name specified by `secret.header`. - required: false - show_user: false - - type: httpjson - title: Collect PingOne logs via API - description: Collecting PingOne logs via API. - vars: - - name: api_path - type: text - title: URL - description: API Path of the PingOne App. Format of the API Path - https://api.pingone.{{regional_domain}} - required: true - - name: token_url - type: text - title: Token URL - description: Token URL of the PingOne App. - required: true - - name: environment_id - type: text - title: Environment ID - description: Environment ID of the PingOne App. - required: true - - name: client_id - type: text - title: Client ID - description: Client ID. - required: true - - name: client_secret - type: password - title: Client Secret - description: Client Secret. - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations diff --git a/packages/trend_micro_vision_one/0.1.0/LICENSE.txt b/packages/trend_micro_vision_one/0.1.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/trend_micro_vision_one/0.1.0/changelog.yml b/packages/trend_micro_vision_one/0.1.0/changelog.yml deleted file mode 100755 index a4f2539876..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: '0.1.0' - changes: - - description: Initial Release. - type: enhancement - link: https://github.com/elastic/integrations/pull/3963 diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index c734c8fb69..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,57 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{hostname}}/v3.0/workbench/alerts -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: header.Authorization - value: 'Bearer {{api_token}}' - - set: - target: url.params.startDateTime - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' - - set: - target: url.params.endDateTime - value: '[[formatDate (now)]]' - - set: - target: url.params.orderBy - value: 'updatedDateTime asc' - - set: - target: url.params.dateTimeTarget - value: 'createdDateTime' -response.pagination: - - set: - target: url.value - value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_response.url.params.Get "endDateTime"]]' -response.split: - target: body.items -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b9b4ba94f3..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,559 +0,0 @@ ---- -description: Pipeline for processing Trend Micro Vision One Alert logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - set: - field: event.kind - value: alert - - json: - field: event.original - target_field: json - ignore_failure: true - - script: - description: Set the value of event.category and event.type. - lang: painless - source: > - def eventCategory = new HashSet(); - def eventType = new HashSet(); - if (ctx.json?.description != null && ctx.json.description != '') { - def description = ctx.json.description.toLowerCase(); - if (description.contains('logon')) { - eventCategory.add('authentication'); - eventCategory.add('host'); - eventType.add('info'); - } else if (description.contains('email')) { - eventCategory.add('email'); - eventType.add('info'); - } else if (description.contains('network')) { - eventCategory.add('network'); - eventType.add('info'); - } else { - eventCategory.add('malware'); - eventType.add('info'); - } - } - if (!eventCategory.isEmpty()) { - ctx.event.category = eventCategory; - } - if (!eventType.isEmpty()) { - ctx.event.type = eventType; - } - - fingerprint: - fields: - - json.updatedDateTime - - json.createdDateTime - - json.id - target_field: _id - ignore_missing: true - - date: - field: json.updatedDateTime - if: ctx.json?.updatedDateTime != null && ctx.json.updatedDateTime != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.id - target_field: trend_micro_vision_one.alert.id - ignore_missing: true - - set: - field: event.id - copy_from: trend_micro_vision_one.alert.id - ignore_failure: true - - convert: - field: json.score - target_field: trend_micro_vision_one.alert.score - if: ctx.json?.score != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.severity - copy_from: trend_micro_vision_one.alert.score - ignore_failure: true - - rename: - field: json.severity - target_field: trend_micro_vision_one.alert.severity - ignore_missing: true - - set: - field: log.level - copy_from: trend_micro_vision_one.alert.severity - ignore_failure: true - - lowercase: - field: log.level - ignore_missing: true - - rename: - field: json.schemaVersion - target_field: trend_micro_vision_one.alert.schema_version - ignore_missing: true - - rename: - field: json.investigationStatus - target_field: trend_micro_vision_one.alert.investigation_status - ignore_missing: true - - rename: - field: json.workbenchLink - target_field: trend_micro_vision_one.alert.workbench_link - ignore_missing: true - - uri_parts: - field: trend_micro_vision_one.alert.workbench_link - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.alertProvider - target_field: trend_micro_vision_one.alert.alert_provider - ignore_missing: true - - rename: - field: json.model - target_field: trend_micro_vision_one.alert.model - ignore_missing: true - - convert: - field: json.impactScope.desktopCount - target_field: trend_micro_vision_one.alert.impact_scope.desktop_count - if: ctx.json?.impactScope?.desktopCount != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.impactScope.serverCount - target_field: trend_micro_vision_one.alert.impact_scope.server_count - if: ctx.json?.impactScope?.serverCount != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.impactScope.accountCount - target_field: trend_micro_vision_one.alert.impact_scope.account_count - if: ctx.json?.impactScope?.accountCount != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.impactScope.emailAddressCount - target_field: trend_micro_vision_one.alert.impact_scope.email_address_count - if: ctx.json?.impactScope?.emailAddressCount != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.impactScope.entities - processor: - foreach: - field: _ingest._value.entityValue.ips - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - script: - description: Mapped value object field of impactScope. - lang: painless - if: ctx.json?.impactScope?.entities instanceof List - source: > - def impactscope_entities = ctx.json.impactScope.entities; - for (entity_object in impactscope_entities) { - if (!(entity_object.entityValue instanceof HashMap)) { - def entityValue = entity_object.entityValue; - entity_object.value = new HashMap(); - entity_object.value.account_value = entityValue; - entity_object.remove("entityValue"); - } - } - - foreach: - field: json.impactScope.entities - processor: - rename: - field: _ingest._value.entityValue - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.impactScope.entities - processor: - convert: - field: _ingest._value.entityValue.ips - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.impactScope.entities - processor: - rename: - field: _ingest._value.entityType - target_field: _ingest._value.type - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.impactScope.entities - processor: - rename: - field: _ingest._value.entityId - target_field: _ingest._value.id - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.impactScope.entities - processor: - rename: - field: _ingest._value.relatedEntities - target_field: _ingest._value.related_entities - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.impactScope.entities - processor: - convert: - field: _ingest._value.relatedIndicatorIds - target_field: _ingest._value.related_indicator_id - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.impactScope.entities - processor: - remove: - field: _ingest._value.relatedIndicatorIds - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.impactScope.entities - target_field: trend_micro_vision_one.alert.impact_scope.entities - ignore_missing: true - - date: - field: json.createdDateTime - target_field: trend_micro_vision_one.alert.created_date - if: ctx.json?.createdDateTime != null && ctx.json.createdDateTime != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.description - target_field: trend_micro_vision_one.alert.description - ignore_missing: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.relatedEntities - target_field: _ingest._value.related_entities - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.matchedIndicatorPatternIds - target_field: _ingest._value.matched_indicator.pattern_id - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.firstSeenDateTimes - processor: - date: - field: _ingest._value - target_field: _ingest._value - formats: - - ISO8601 - ignore_failure: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.firstSeenDateTimes - target_field: _ingest._value.first_seen_date - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.filterIds - target_field: _ingest._value.filter_id - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.lastSeenDateTimes - processor: - date: - field: _ingest._value - target_field: _ingest._value - formats: - - ISO8601 - ignore_failure: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.lastSeenDateTimes - target_field: _ingest._value.last_seen_date - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.indicators - target_field: trend_micro_vision_one.alert.indicators - ignore_missing: true - - foreach: - field: json.matchedIndicatorPatterns - processor: - rename: - field: _ingest._value.matchedLogs - target_field: _ingest._value.matched_log - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.matchedIndicatorPatterns - target_field: trend_micro_vision_one.alert.matched_indicators_pattern - ignore_missing: true - - foreach: - field: json.matchedRules - processor: - foreach: - field: _ingest._value.matchedFilters - processor: - date: - field: _ingest._value.matchedDateTime - target_field: _ingest._value.date - formats: - - ISO8601 - ignore_failure: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.matchedRules - processor: - foreach: - field: _ingest._value.matchedFilters - processor: - remove: - field: _ingest._value.matchedDateTime - ignore_missing: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.matchedRules - processor: - foreach: - field: _ingest._value.matchedFilters - processor: - rename: - field: _ingest._value.mitreTechniqueIds - target_field: _ingest._value.mitre_technique_id - ignore_missing: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.matchedRules - processor: - foreach: - field: _ingest._value.matchedFilters - processor: - foreach: - field: _ingest._value.matchedEvents - processor: - date: - field: _ingest._value.matchedDateTime - target_field: _ingest._value.date - formats: - - ISO8601 - ignore_failure: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.matchedRules - processor: - foreach: - field: _ingest._value.matchedFilters - processor: - foreach: - field: _ingest._value.matchedEvents - processor: - remove: - field: _ingest._value.matchedDateTime - ignore_missing: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.matchedRules - processor: - foreach: - field: _ingest._value.matchedFilters - processor: - rename: - field: _ingest._value.matchedEvents - target_field: _ingest._value.events - ignore_missing: true - ignore_missing: true - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.matchedRules - processor: - rename: - field: _ingest._value.matchedFilters - target_field: _ingest._value.filter - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.matchedRules - target_field: trend_micro_vision_one.alert.matched_rule - ignore_missing: true - - rename: - field: json.campaign - target_field: trend_micro_vision_one.alert.campaign - ignore_missing: true - - rename: - field: json.industry - target_field: trend_micro_vision_one.alert.industry - ignore_missing: true - - rename: - field: json.regionAndCountry - target_field: trend_micro_vision_one.alert.region_and_country - ignore_missing: true - - rename: - field: json.createdBy - target_field: trend_micro_vision_one.alert.created_by - ignore_missing: true - - convert: - field: json.totalIndicatorCount - target_field: trend_micro_vision_one.alert.total_indicator_count - if: ctx.json?.totalIndicatorCount != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.matchedIndicatorCount - target_field: trend_micro_vision_one.alert.matched_indicator_count - if: ctx.json?.matchedIndicatorCount != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.reportLink - target_field: trend_micro_vision_one.alert.report_link - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - trend_micro_vision_one.alert.id - - trend_micro_vision_one.alert.score - - trend_micro_vision_one.alert.severity - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/agent.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/base-fields.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/base-fields.yml deleted file mode 100755 index 75af598bf0..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: trend_micro_vision_one.alert -- name: event.module - type: constant_keyword - description: Event module. - value: trend_micro_vision_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/ecs.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/ecs.yml deleted file mode 100755 index 29e8890ebe..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,101 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/fields.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/fields.yml deleted file mode 100755 index 114d9dc0e3..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/fields/fields.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: trend_micro_vision_one.alert - type: group - fields: - - name: alert_provider - type: keyword - description: Alert provider. - - name: campaign - type: keyword - description: An object-ref to a campaign object. - - name: created_by - type: keyword - description: Created by. - - name: created_date - type: date - description: Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. - - name: description - type: keyword - description: Description of the detection model that triggered the alert. - - name: id - type: keyword - description: Workbench ID. - - name: impact_scope - type: group - fields: - - name: account_count - type: long - description: Count of affected account. - - name: desktop_count - type: long - description: Count of affected desktop. - - name: email_address_count - type: long - description: Count of affected email address. - - name: entities - type: group - fields: - - name: value - type: group - fields: - - name: account_value - type: keyword - description: Account or emailAddress. - - name: guid - type: keyword - description: GUID. - - name: id - type: keyword - description: Impact scope entity id. - - name: ips - type: ip - description: Set of IPs. - - name: name - type: keyword - description: Host name. - - name: type - type: keyword - description: Impact scope entity type. - - name: related_entities - type: keyword - description: Related entities. - - name: related_indicator_id - type: long - description: Related indicator ids. - - name: server_count - type: long - description: Count of affected server. - - name: indicators - type: group - fields: - - name: field - type: keyword - description: Detailed description of the indicator. - - name: filter_id - type: keyword - description: Related matched filter ids. - - name: first_seen_date - type: date - description: First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). - - name: id - type: keyword - description: Indicator ID. - - name: last_seen_date - type: date - description: Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). - - name: matched_indicator - type: group - fields: - - name: pattern_id - type: keyword - description: Matched indicator pattern ids. - - name: provenance - type: keyword - description: Provenance. - - name: related_entities - type: keyword - description: Related entities. - - name: type - type: keyword - description: Indicator type. - - name: value - type: keyword - description: Indicator value. - - name: industry - type: keyword - description: Industry. - - name: investigation_status - type: keyword - description: Workbench alert status. - - name: matched_indicator_count - type: long - description: Matched indicator pattern count. - - name: matched_indicators_pattern - type: group - fields: - - name: id - type: keyword - description: Pattern ID. - - name: matched_log - type: keyword - description: Pattern matched log. - - name: pattern - type: keyword - description: STIX indicator will be a pattern. - - name: tags - type: keyword - description: Tags defined by STIX. - - name: matched_rule - type: group - fields: - - name: filter - type: group - fields: - - name: date - type: date - description: Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). - - name: events - type: group - fields: - - name: date - type: date - description: Matched event date. - - name: event_uuid - type: keyword - description: Matched event uuid. - - name: id - type: keyword - description: Matched filter id. - - name: mitre_technique_id - type: keyword - description: Mitre technique id. - - name: name - type: keyword - description: Filter name. - - name: id - type: keyword - description: The rules are triggered. - - name: name - type: keyword - description: Matched rule name. - - name: model - type: keyword - description: Name of the detection model that triggered the alert. - - name: region_and_country - type: keyword - description: region/country. - - name: report_link - type: keyword - description: A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. - - name: schema_version - type: keyword - description: The version of the JSON schema, not the version of alert trigger content. - - name: score - type: long - description: Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. - - name: severity - type: keyword - description: Workbench alert severity. - - name: total_indicator_count - type: long - description: Total indicator pattern count. - - name: workbench_link - type: keyword - description: Workbench URL. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/manifest.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/alert/manifest.yml deleted file mode 100755 index 07230e95c4..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -title: Collect Alert logs from Trend Micro Vision One. -type: logs -streams: - - input: httpjson - title: Alert logs - description: Collect alert logs from Trend Micro Vision One. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the alert from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. - default: 5m - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - trend_micro_vision_one-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve trend_micro_vision_one.alert fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/sample_event.json b/packages/trend_micro_vision_one/0.1.0/data_stream/alert/sample_event.json deleted file mode 100755 index 70fae695a6..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/alert/sample_event.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "@timestamp": "2030-04-30T00:01:16.000Z", - "agent": { - "ephemeral_id": "11b64a19-0682-4a33-b385-4e6142171d69", - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.0" - }, - "data_stream": { - "dataset": "trend_micro_vision_one.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "snapshot": false, - "version": "8.4.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-09-30T11:50:26.826Z", - "dataset": "trend_micro_vision_one.alert", - "id": "WB-9002-20200427-0002", - "ingested": "2022-09-30T11:50:30Z", - "kind": "alert", - "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", - "severity": 63, - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "log": { - "level": "critical" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "trend_micro_vision_one-alert" - ], - "trend_micro_vision_one": { - "alert": { - "alert_provider": "SAE", - "created_date": "2020-04-30T00:01:15.000Z", - "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", - "id": "WB-9002-20200427-0002", - "impact_scope": { - "account_count": 0, - "desktop_count": 0, - "email_address_count": 0, - "entities": [ - { - "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", - "provenance": [ - "Alert" - ], - "related_entities": [ - "CODERED\\\\user" - ], - "related_indicator_id": [ - 1 - ], - "type": "host", - "value": { - "account_value": "user@email.com" - } - } - ], - "server_count": 0 - }, - "indicators": [ - { - "field": "request url", - "filter_id": [ - "f862df72-7f5e-4b2b-9f7f-9148e875f908" - ], - "id": 1, - "provenance": [ - "Alert" - ], - "related_entities": [ - "user@example.com" - ], - "type": "url", - "value": "http://www.example.com/ab001.zip" - } - ], - "investigation_status": "New", - "matched_rule": [ - { - "filter": [ - { - "date": "2019-08-02T04:00:01.000Z", - "events": [ - { - "date": "2019-08-02T04:00:01.000Z", - "type": "TELEMETRY_REGISTRY", - "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" - } - ], - "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", - "mitre_technique_id": [ - "T1192" - ], - "name": "(T1192) Spearphishing Link" - } - ], - "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", - "name": "Possible SpearPhishing Email" - } - ], - "model": "Possible APT Attack", - "schema_version": "1.0", - "score": 63, - "severity": "critical", - "workbench_link": "https://THE_WORKBENCH_URL" - } - }, - "url": { - "original": "https://THE_WORKBENCH_URL", - "scheme": "https" - } -} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 4c6a8869bf..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{hostname}}/v3.0/audit/logs -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: header.Authorization - value: 'Bearer {{api_token}}' - - set: - target: url.params.top - value: '200' - - set: - target: url.params.startDateTime - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' - - set: - target: url.params.endDateTime - value: '[[formatDate (now)]]' - - set: - target: url.params.orderBy - value: 'loggedDateTime asc' - - set: - target: url.params.labels - value: 'all' -response.pagination: - - set: - target: url.value - value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_response.url.params.Get "endDateTime"]]' -response.split: - target: body.items -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 37d39000a5..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,171 +0,0 @@ ---- -description: Pipeline for processing Trend Micro Vision One Audit logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - set: - field: event.kind - value: event - - json: - field: event.original - target_field: json - ignore_failure: true - - script: - description: Set the value of event.category and event.type. - lang: painless - source: > - def eventCategory = new HashSet(); - def eventType = new HashSet(); - if (ctx.json?.category != null && ctx.json.category != '' && ctx.json.activity != null && ctx.json.activity != '') { - def category = ctx.json.category.toLowerCase(); - def activity = ctx.json.activity.toLowerCase(); - if (['logon and logoff', 'saml single sign-on'].contains(category)) { - eventCategory.add('authentication'); - if (['log on', 'enable single sign-on'].contains(activity)) { - eventType.add('start'); - } - if (['log off', 'disable single sign-on'].contains(activity)) { - eventType.add('end'); - } else { - eventType.add('info'); - } - } - if (['account management', 'product connector', 'Notifications', 'detection model management', 'workbench', 'response management', 'search', 'managed xdr', 'third-party integration', 'service gateway inventory', 'endpoint inventory', 'endpoint security policies', 'zero trust secure access', 'sandbox analysis', 'oat', 'security playbooks'].contains(category)) { - eventCategory.add('authentication'); - eventType.add('info'); - } - if (category == 'network inventory') { - eventCategory.add('network'); - eventType.add('info'); - } - if (category == 'threat intelligence') { - eventCategory.add('threat'); - eventType.add('indicator'); - } - if (activity == 'email') { - eventCategory.add('email'); - } - if (activity == 'file') { - eventCategory.add('file'); - } - if (activity == 'threat') { - eventCategory.add('threat'); - } - } - if (!eventCategory.isEmpty()) { - ctx.event.category = eventCategory; - } - if (!eventType.isEmpty()) { - ctx.event.type = eventType; - } - - fingerprint: - fields: - - json.loggedDateTime - - json.loggedUser - - json.loggedRole - - json.category - - json.activity - - json.details - target_field: _id - ignore_missing: true - - date: - field: json.loggedDateTime - if: ctx.json?.loggedDateTime != null && ctx.json.loggedDateTime != '' - formats: - - ISO8601 - - yyyy-MM-dd HH:mm:ss - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.loggedUser - target_field: trend_micro_vision_one.audit.logged_user - ignore_missing: true - - set: - field: source.user.name - copy_from: trend_micro_vision_one.audit.logged_user - ignore_failure: true - - rename: - field: json.loggedRole - target_field: trend_micro_vision_one.audit.logged_role - ignore_missing: true - - set: - field: source.user.roles - copy_from: trend_micro_vision_one.audit.logged_role - ignore_failure: true - - rename: - field: json.accessType - target_field: trend_micro_vision_one.audit.access_type - ignore_missing: true - - rename: - field: json.category - target_field: trend_micro_vision_one.audit.category - ignore_missing: true - - rename: - field: json.activity - target_field: trend_micro_vision_one.audit.activity - ignore_missing: true - - rename: - field: json.result - target_field: trend_micro_vision_one.audit.result - ignore_missing: true - - set: - field: event.outcome - value: 'success' - if: ctx.trend_micro_vision_one?.audit?.result == 'Successful' - - set: - field: event.outcome - value: 'failure' - if: ctx.trend_micro_vision_one?.audit?.result == 'Unsuccessful' - - rename: - field: json.details - target_field: trend_micro_vision_one.audit.details - ignore_missing: true - - remove: - field: json - ignore_missing: true - - append: - field: related.user - value: '{{{source.user.name}}}' - if: ctx.source?.user?.name != null - allow_duplicates: false - ignore_failure: true - - remove: - field: - - trend_micro_vision_one.audit.logged_user - - trend_micro_vision_one.audit.logged_role - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/agent.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/base-fields.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 8a5aa585b1..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: trend_micro_vision_one.audit -- name: event.module - type: constant_keyword - description: Event module. - value: trend_micro_vision_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/ecs.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index bd27b7048b..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,62 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: source.user.roles - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/fields.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index 7b18021ce6..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: trend_micro_vision_one.audit - type: group - fields: - - name: access_type - type: keyword - description: Source of the activity. - - name: activity - type: keyword - description: The activity that was performed. - - name: category - type: keyword - description: Category. - - name: details - type: flattened - description: Object that contains a list of elements to be retrieved from the "details" field. - - name: logged_role - type: keyword - description: Role of the account. - - name: logged_user - type: keyword - description: The account that was used to perform the activity. - - name: result - type: keyword - description: Result. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/manifest.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/audit/manifest.yml deleted file mode 100755 index 3376929cdb..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -title: Collect Audit logs from Trend Micro Vision One. -type: logs -streams: - - input: httpjson - title: Audit logs - description: Collect audit logs from Trend Micro Vision One. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the audit from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. - default: 5m - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - trend_micro_vision_one-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve trend_micro_vision_one.audit fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/sample_event.json b/packages/trend_micro_vision_one/0.1.0/data_stream/audit/sample_event.json deleted file mode 100755 index c198ffb7ac..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/audit/sample_event.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "@timestamp": "2022-02-24T07:29:48.000Z", - "agent": { - "ephemeral_id": "804f8045-e600-48a3-85fc-958312d96c71", - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.0" - }, - "data_stream": { - "dataset": "trend_micro_vision_one.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "snapshot": false, - "version": "8.4.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "created": "2022-09-30T11:51:11.031Z", - "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-09-30T11:51:14Z", - "kind": "event", - "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", - "outcome": "failure", - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "Root Account" - ] - }, - "source": { - "user": { - "name": "Root Account", - "roles": "Master Administrator" - } - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "trend_micro_vision_one-audit" - ], - "trend_micro_vision_one": { - "audit": { - "access_type": "Console", - "activity": "string", - "category": "Logon and Logoff", - "details": { - "property1": "string", - "property2": "string" - }, - "logged_role": "Master Administrator", - "logged_user": "Root Account", - "result": "Unsuccessful" - } - } -} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/0.1.0/data_stream/detection/agent/stream/httpjson.yml.hbs deleted file mode 100755 index e40bef49be..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{hostname}}/v3.0/search/detections -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: header.Authorization - value: 'Bearer {{api_token}}' - - set: - target: header.TMV1-Query - value: 'uuid' - - set: - target: url.params.top - value: '5000' - - set: - target: url.params.startDateTime - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' - - set: - target: url.params.endDateTime - value: '[[formatDate (now)]]' - - set: - target: url.params.select - value: 'empty' -response.pagination: - - set: - target: url.value - value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_response.url.params.Get "endDateTime"]]' -response.split: - target: body.items -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/detection/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3ec9660846..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,977 +0,0 @@ ---- -description: Pipeline for processing Trend Micro Vision One Alert logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - set: - field: event.kind - value: event - - set: - field: event.category - value: [intrusion_detection] - - set: - field: event.type - value: [info] - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.eventTime - - json.rt_utc - - json.uuid - target_field: _id - ignore_missing: true - - date: - field: json.eventTime - if: ctx.json?.eventTime != null && ctx.json.eventTime != '' - formats: - - UNIX_MS - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.domainName - target_field: trend_micro_vision_one.detection.domain.name - ignore_missing: true - - set: - field: destination.domain - copy_from: trend_micro_vision_one.detection.domain.name - ignore_failure: true - - convert: - field: json.dst - target_field: trend_micro_vision_one.detection.destination.ip - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.ip - copy_from: trend_micro_vision_one.detection.destination.ip - ignore_failure: true - - convert: - field: json.dpt - target_field: trend_micro_vision_one.detection.destination.port - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.port - copy_from: trend_micro_vision_one.detection.destination.port - ignore_failure: true - - rename: - field: json.act - target_field: trend_micro_vision_one.detection.action - ignore_missing: true - - set: - field: event.action - copy_from: trend_micro_vision_one.detection.action - ignore_failure: true - - lowercase: - field: event.action - ignore_missing: true - - rename: - field: json.eventId - target_field: trend_micro_vision_one.detection.event_id - ignore_missing: true - - set: - field: event.id - copy_from: trend_micro_vision_one.detection.event_id - ignore_failure: true - - rename: - field: json.objectFileHashMd5 - target_field: trend_micro_vision_one.detection.object.file.hash.md5 - ignore_missing: true - - set: - field: file.hash.md5 - copy_from: trend_micro_vision_one.detection.object.file.hash.md5 - ignore_failure: true - - rename: - field: json.objectFileHashSha1 - target_field: trend_micro_vision_one.detection.object.file.hash.sha1 - ignore_missing: true - - set: - field: file.hash.sha1 - copy_from: trend_micro_vision_one.detection.object.file.hash.sha1 - ignore_failure: true - - rename: - field: json.objectFileHashSha256 - target_field: trend_micro_vision_one.detection.object.file.hash.sha256 - ignore_missing: true - - set: - field: file.hash.sha256 - copy_from: trend_micro_vision_one.detection.object.file.hash.sha256 - ignore_failure: true - - rename: - field: json.fileName - target_field: trend_micro_vision_one.detection.file_name - ignore_missing: true - - set: - field: file.name - copy_from: trend_micro_vision_one.detection.file_name - ignore_failure: true - - rename: - field: json.filePathName - target_field: trend_micro_vision_one.detection.file_path_name - ignore_missing: true - - set: - field: file.path - copy_from: trend_micro_vision_one.detection.file_path_name - ignore_failure: true - - convert: - field: json.fileSize - target_field: trend_micro_vision_one.detection.file_size - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: file.size - copy_from: trend_micro_vision_one.detection.file_size - ignore_failure: true - - rename: - field: json.hostName - target_field: trend_micro_vision_one.detection.hostname - ignore_missing: true - - set: - field: host.hostname - copy_from: trend_micro_vision_one.detection.hostname - ignore_failure: true - - rename: - field: json.endpointGUID - target_field: trend_micro_vision_one.detection.endpoint.guid - ignore_missing: true - - set: - field: host.id - copy_from: trend_micro_vision_one.detection.endpoint.guid - ignore_failure: true - - foreach: - field: json.endpointIp - processor: - append: - field: trend_micro_vision_one.detection.endpoint.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - set: - field: host.ip - copy_from: trend_micro_vision_one.detection.endpoint.ip - ignore_failure: true - - gsub: - field: json.endpointMacAddress - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: json.endpointMacAddress - ignore_missing: true - - rename: - field: json.endpointMacAddress - target_field: trend_micro_vision_one.detection.endpoint.mac - ignore_missing: true - - set: - field: host.mac - copy_from: trend_micro_vision_one.detection.endpoint.mac - ignore_failure: true - - rename: - field: json.endpointHostName - target_field: trend_micro_vision_one.detection.endpoint.hostname - ignore_missing: true - - set: - field: host.name - copy_from: trend_micro_vision_one.detection.endpoint.hostname - ignore_failure: true - - rename: - field: json.httpReferer - target_field: trend_micro_vision_one.detection.http_referer - ignore_missing: true - - set: - field: http.request.referrer - copy_from: trend_micro_vision_one.detection.http_referer - ignore_failure: true - - rename: - field: json.cat - target_field: trend_micro_vision_one.detection.severity_level - ignore_missing: true - - set: - field: event.severity - copy_from: trend_micro_vision_one.detection.severity_level - ignore_failure: true - - rename: - field: json.deviceDirection - target_field: trend_micro_vision_one.detection.device.direction - ignore_missing: true - - set: - field: network.direction - copy_from: trend_micro_vision_one.detection.device.direction - ignore_failure: true - - lowercase: - field: network.direction - ignore_missing: true - - rename: - field: json.app - target_field: trend_micro_vision_one.detection.protocol - ignore_missing: true - - set: - field: network.protocol - copy_from: trend_micro_vision_one.detection.protocol - ignore_failure: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: json.dhost - target_field: trend_micro_vision_one.detection.device.host - ignore_missing: true - - set: - field: observer.hostname - copy_from: trend_micro_vision_one.detection.device.host - ignore_failure: true - - gsub: - field: json.deviceMacAddress - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: json.deviceMacAddress - ignore_missing: true - - rename: - field: json.deviceMacAddress - target_field: trend_micro_vision_one.detection.device.mac - ignore_missing: true - - set: - field: observer.mac - copy_from: trend_micro_vision_one.detection.device.mac - ignore_failure: true - - rename: - field: json.processCmd - target_field: trend_micro_vision_one.detection.process.cmd - ignore_missing: true - - set: - field: process.command_line - copy_from: trend_micro_vision_one.detection.process.cmd - ignore_failure: true - - rename: - field: json.processName - target_field: trend_micro_vision_one.detection.process.name - ignore_missing: true - - set: - field: process.name - copy_from: trend_micro_vision_one.detection.process.name - ignore_failure: true - - convert: - field: json.processPid - target_field: trend_micro_vision_one.detection.process.pid - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: process.pid - copy_from: trend_micro_vision_one.detection.process.pid - ignore_failure: true - - convert: - field: json.src - target_field: trend_micro_vision_one.detection.source.ip - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: trend_micro_vision_one.detection.source.ip - ignore_failure: true - - convert: - field: json.spt - target_field: trend_micro_vision_one.detection.source.port - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.port - copy_from: trend_micro_vision_one.detection.source.port - ignore_failure: true - - rename: - field: json.tacticId - target_field: trend_micro_vision_one.detection.tactic_id - ignore_missing: true - - set: - field: threat.tactic.id - copy_from: trend_micro_vision_one.detection.tactic_id - ignore_failure: true - - rename: - field: json.requestClientApplication - target_field: trend_micro_vision_one.detection.request_client_application - ignore_missing: true - - set: - field: url.request - copy_from: trend_micro_vision_one.detection.request_client_application - ignore_failure: true - - user_agent: - field: url.request - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.actResult - target_field: trend_micro_vision_one.detection.action_result - ignore_missing: true - - rename: - field: json.behaviorCat - target_field: trend_micro_vision_one.detection.behavior_category - ignore_missing: true - - rename: - field: json.blocking - target_field: trend_micro_vision_one.detection.block - ignore_missing: true - - rename: - field: json.clientFlag - target_field: trend_micro_vision_one.detection.client_flag - ignore_missing: true - - rename: - field: json.component - target_field: trend_micro_vision_one.detection.component_version - ignore_missing: true - - convert: - field: json.compressedFileSize - target_field: trend_micro_vision_one.detection.compressed_file_size - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.dstGroup - target_field: trend_micro_vision_one.detection.destination.ip_group - ignore_missing: true - - rename: - field: json.cccaDetection - target_field: trend_micro_vision_one.detection.detection - ignore_missing: true - - rename: - field: json.cccaDetectionSource - target_field: trend_micro_vision_one.detection.detection_source - ignore_missing: true - - rename: - field: json.detectionType - target_field: trend_micro_vision_one.detection.detection_type - ignore_missing: true - - convert: - field: json.cccaRiskLevel - target_field: trend_micro_vision_one.detection.risk_level - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.mDeviceGUID - target_field: trend_micro_vision_one.detection.device.guid - ignore_missing: true - - rename: - field: json.deviceGUID - target_field: trend_micro_vision_one.detection.device.id - ignore_missing: true - - convert: - field: json.mDevice - target_field: trend_micro_vision_one.detection.device.ip - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.deviceProcessName - target_field: trend_micro_vision_one.detection.device.process_name - ignore_missing: true - - date: - field: json.end - target_field: trend_micro_vision_one.detection.end_time - if: ctx.json?.end != null && ctx.json.end != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.engType - target_field: trend_micro_vision_one.detection.engine_type - ignore_missing: true - - rename: - field: json.engVer - target_field: trend_micro_vision_one.detection.engine_version - ignore_missing: true - - rename: - field: json.eventName - target_field: trend_micro_vision_one.detection.event_name - ignore_missing: true - - date: - field: json.eventTimeDT - target_field: trend_micro_vision_one.detection.event_time_dt - if: ctx.json?.eventTimeDT != null && ctx.json.eventTimeDT != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.fileHash - target_field: trend_micro_vision_one.detection.file_hash - ignore_missing: true - - rename: - field: json.fileOperation - target_field: trend_micro_vision_one.detection.file_operation - ignore_missing: true - - rename: - field: json.filePath - target_field: trend_micro_vision_one.detection.file_path - ignore_missing: true - - rename: - field: json.firstAct - target_field: trend_micro_vision_one.detection.first_action - ignore_missing: true - - rename: - field: json.firstActResult - target_field: trend_micro_vision_one.detection.first_action_result - ignore_missing: true - - rename: - field: json.fullPath - target_field: trend_micro_vision_one.detection.full_path - ignore_missing: true - - rename: - field: json.interestedHost - target_field: trend_micro_vision_one.detection.interested.host - ignore_missing: true - - convert: - field: json.interestedIp - target_field: trend_micro_vision_one.detection.interested.ip - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - gsub: - field: json.interestedMacAddress - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: json.interestedMacAddress - ignore_missing: true - - rename: - field: json.interestedMacAddress - target_field: trend_micro_vision_one.detection.interested.mac - ignore_missing: true - - rename: - field: json.malName - target_field: trend_micro_vision_one.detection.malware_name - ignore_missing: true - - rename: - field: json.malType - target_field: trend_micro_vision_one.detection.malware_type - ignore_missing: true - - rename: - field: json.objectCmd - target_field: trend_micro_vision_one.detection.object.cmd - ignore_missing: true - - rename: - field: json.objectFileName - target_field: trend_micro_vision_one.detection.object.file.name - ignore_missing: true - - rename: - field: json.objectFilePath - target_field: trend_micro_vision_one.detection.object.file.path - ignore_missing: true - - rename: - field: json.objectName - target_field: trend_micro_vision_one.detection.object.name - ignore_missing: true - - convert: - field: json.objectPid - target_field: trend_micro_vision_one.detection.object.pid - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.objectSigner - target_field: trend_micro_vision_one.detection.object.signer - ignore_missing: true - - rename: - field: json.parentCmd - target_field: trend_micro_vision_one.detection.parent.cmd - ignore_missing: true - - rename: - field: json.parentFileHashSha1 - target_field: trend_micro_vision_one.detection.parent.file.hash.sha1 - ignore_missing: true - - rename: - field: json.parentFileHashSha256 - target_field: trend_micro_vision_one.detection.parent.file.hash.sha256 - ignore_missing: true - - rename: - field: json.parentFilePath - target_field: trend_micro_vision_one.detection.parent.file.path - ignore_missing: true - - rename: - field: json.peerHost - target_field: trend_micro_vision_one.detection.peer.host - ignore_missing: true - - convert: - field: json.peerIp - target_field: trend_micro_vision_one.detection.peer.ip - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.processFileHashMd5 - target_field: trend_micro_vision_one.detection.process.file.hash.md5 - ignore_missing: true - - rename: - field: json.processFileHashSha1 - target_field: trend_micro_vision_one.detection.process.file.hash.sha1 - ignore_missing: true - - rename: - field: json.processFileHashSha256 - target_field: trend_micro_vision_one.detection.process.file.hash.sha256 - ignore_missing: true - - rename: - field: json.processFilePath - target_field: trend_micro_vision_one.detection.process.file.path - ignore_missing: true - - rename: - field: json.processSigner - target_field: trend_micro_vision_one.detection.process.signer - ignore_missing: true - - rename: - field: json.request - target_field: trend_micro_vision_one.detection.request - ignore_missing: true - - uri_parts: - field: trend_micro_vision_one.detection.request - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.productCode - target_field: trend_micro_vision_one.detection.product.code - ignore_missing: true - - rename: - field: json.mpname - target_field: trend_micro_vision_one.detection.mproduct.name - ignore_missing: true - - rename: - field: json.pname - target_field: trend_micro_vision_one.detection.product.name - ignore_missing: true - - rename: - field: json.mpver - target_field: trend_micro_vision_one.detection.mproduct.version - ignore_missing: true - - rename: - field: json.pver - target_field: trend_micro_vision_one.detection.product.version - ignore_missing: true - - rename: - field: json.appGroup - target_field: trend_micro_vision_one.detection.protocol_group - ignore_missing: true - - set: - field: trend_micro_vision_one.detection.related_apt - value: false - if: ctx.json?.aptRelated == '0'; - - set: - field: trend_micro_vision_one.detection.related_apt - value: true - if: ctx.json?.aptRelated == '1'; - - date: - field: json.rt - target_field: trend_micro_vision_one.detection.rt - if: ctx.json?.rt != null && ctx.json.rt != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.rt_utc - target_field: trend_micro_vision_one.detection.rt_utc - if: ctx.json?.rt_utc != null && ctx.json.rt_utc != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.searchDL - target_field: trend_micro_vision_one.detection.search_data_lake - ignore_missing: true - - rename: - field: json.mitreMapping - target_field: trend_micro_vision_one.detection.security_analytics.engine.name - ignore_missing: true - - rename: - field: json.mitreVersion - target_field: trend_micro_vision_one.detection.security_analytics.engine.version - ignore_missing: true - - rename: - field: json.srcGroup - target_field: trend_micro_vision_one.detection.source.group - ignore_missing: true - - rename: - field: json.threatName - target_field: trend_micro_vision_one.detection.threat_name - ignore_missing: true - - rename: - field: json.eventSubName - target_field: trend_micro_vision_one.detection.sub_name - ignore_missing: true - - rename: - field: json.tags - target_field: trend_micro_vision_one.detection.tags - ignore_missing: true - - convert: - field: json.cnt - target_field: trend_micro_vision_one.detection.total_count - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.uuid - target_field: trend_micro_vision_one.detection.uuid - ignore_missing: true - - convert: - field: json.aggregatedCount - target_field: trend_micro_vision_one.detection.aggregated_count - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.fileType - target_field: trend_micro_vision_one.detection.file_type - ignore_missing: true - - set: - field: file.type - copy_from: trend_micro_vision_one.detection.file_type - ignore_failure: true - - rename: - field: json.fileType - target_field: trend_micro_vision_one.detection.file_type - ignore_missing: true - - set: - field: file.type - copy_from: trend_micro_vision_one.detection.file_type - ignore_failure: true - - rename: - field: json.osName - target_field: trend_micro_vision_one.detection.os.name - ignore_missing: true - - set: - field: os.name - copy_from: trend_micro_vision_one.detection.os.name - ignore_failure: true - - rename: - field: json.policyName - target_field: trend_micro_vision_one.detection.policy.name - ignore_missing: true - - rename: - field: json.requestBase - target_field: trend_micro_vision_one.detection.request_base - ignore_missing: true - - rename: - field: json.suid - target_field: trend_micro_vision_one.detection.suid - ignore_missing: true - - rename: - field: json.urlCat - target_field: trend_micro_vision_one.detection.url_cat - ignore_missing: true - - rename: - field: json.userDomain - target_field: trend_micro_vision_one.detection.user.domain - ignore_missing: true - - set: - field: user.domain - copy_from: trend_micro_vision_one.detection.user.domain - ignore_failure: true - - rename: - field: json.profile - target_field: trend_micro_vision_one.detection.profile - ignore_missing: true - - rename: - field: json.principalName - target_field: trend_micro_vision_one.detection.principal_name - ignore_missing: true - - rename: - field: json.policyUuid - target_field: trend_micro_vision_one.detection.policy.uuid - ignore_missing: true - - rename: - field: json.sender - target_field: trend_micro_vision_one.detection.sender - ignore_missing: true - - rename: - field: json.logKey - target_field: trend_micro_vision_one.detection.policy.logkey - ignore_missing: true - - rename: - field: json.mimeType - target_field: trend_micro_vision_one.detection.mime_type - ignore_missing: true - - convert: - field: json.clientIp - target_field: trend_micro_vision_one.detection.client_ip - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: client.ip - copy_from: trend_micro_vision_one.detection.client_ip - ignore_failure: true - - remove: - field: json - ignore_missing: true - - append: - field: related.hash - value: '{{{file.hash.md5}}}' - if: ctx.file?.hash?.md5 != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{file.hash.sha1}}}' - if: ctx.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{file.hash.sha256}}}' - if: ctx.file?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{trend_micro_vision_one.detection.file_hash}}}' - if: ctx.trend_micro_vision_one?.detection?.file_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{trend_micro_vision_one.detection.parent.file.hash.sha1}}}' - if: ctx.trend_micro_vision_one?.detection?.parent?.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{trend_micro_vision_one.detection.parent.file.hash.sha256}}}' - if: ctx.trend_micro_vision_one?.detection?.parent?.file?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{trend_micro_vision_one.detection.process.file.hash.md5}}}' - if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.md5 != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{trend_micro_vision_one.detection.process.file.hash.sha1}}}' - if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{trend_micro_vision_one.detection.process.file.hash.sha256}}}' - if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{host.hostname}}}' - if: ctx.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{observer.hostname}}}' - if: ctx.observer?.hostname != null - allow_duplicates: false - ignore_failure: true - - foreach: - field: destination.ip - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: source.ip - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: trend_micro_vision_one.detection.device.ip - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: trend_micro_vision_one.detection.interested.ip - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: trend_micro_vision_one.detection.peer.ip - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: client.ip - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - remove: - field: - - trend_micro_vision_one.detection.domain.name - - trend_micro_vision_one.detection.destination.ip - - trend_micro_vision_one.detection.destination.port - - trend_micro_vision_one.detection.action - - trend_micro_vision_one.detection.event_id - - trend_micro_vision_one.detection.object.file.hash.md5 - - trend_micro_vision_one.detection.object.file.hash.sha1 - - trend_micro_vision_one.detection.object.file.hash.sha256 - - trend_micro_vision_one.detection.file_name - - trend_micro_vision_one.detection.file_path_name - - trend_micro_vision_one.detection.file_size - - trend_micro_vision_one.detection.hostname - - trend_micro_vision_one.detection.endpoint.guid - - trend_micro_vision_one.detection.endpoint.ip - - trend_micro_vision_one.detection.endpoint.mac - - trend_micro_vision_one.detection.endpoint.hostname - - trend_micro_vision_one.detection.http_referer - - trend_micro_vision_one.detection.severity_level - - trend_micro_vision_one.detection.device.direction - - trend_micro_vision_one.detection.protocol - - trend_micro_vision_one.detection.device.host - - trend_micro_vision_one.detection.device.mac - - trend_micro_vision_one.detection.process.cmd - - trend_micro_vision_one.detection.process.name - - trend_micro_vision_one.detection.process.pid - - trend_micro_vision_one.detection.source.ip - - trend_micro_vision_one.detection.source.port - - trend_micro_vision_one.detection.tactic_id - - trend_micro_vision_one.detection.request_client_application - - trend_micro_vision_one.detection.file_type - - trend_micro_vision_one.detection.os.name - - trend_micro_vision_one.detection.user.domain - - trend_micro_vision_one.detection.client_ip - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/agent.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/base-fields.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/base-fields.yml deleted file mode 100755 index d144d282f1..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: trend_micro_vision_one.detection -- name: event.module - type: constant_keyword - description: Event module. - value: trend_micro_vision_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/ecs.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/ecs.yml deleted file mode 100755 index d69bedda27..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/ecs.yml +++ /dev/null @@ -1,227 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: os.name - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/fields.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/fields.yml deleted file mode 100755 index d4d7aeba24..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/fields/fields.yml +++ /dev/null @@ -1,405 +0,0 @@ -- name: trend_micro_vision_one.detection - type: group - fields: - - name: action - type: keyword - description: Action by detect product. - - name: action_result - type: keyword - description: Action result by detect product. - - name: aggregated_count - type: long - description: Aggregated count. - - name: behavior_category - type: keyword - description: The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. - - name: block - type: keyword - description: blocking Reason. - - name: client_flag - type: keyword - description: 0:Unknown 1:src 2:dst. - - name: client_ip - type: ip - description: Client IP. - - name: component_version - type: keyword - description: Product component version. - - name: compressed_file_size - type: long - description: File size after compressed. - - name: destination - type: group - fields: - - name: ip - type: ip - description: Destination IP address. - - name: ip_group - type: keyword - description: Destination IP address group. - - name: port - type: long - description: Destination port. - - name: detection - type: keyword - description: Yes (Tag it when it appears and the value is 1). - - name: detection_source - type: keyword - description: Detection source use by Deep Discovery Inspector. - - name: detection_type - type: keyword - description: Product detection type. - - name: device - type: group - fields: - - name: direction - type: keyword - description: '0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned).' - - name: guid - type: keyword - description: Device GUID. - - name: host - type: keyword - description: device host. - - name: id - type: keyword - description: Device identity. - - name: ip - type: ip - description: Devices ip list. - - name: mac - type: keyword - description: Mac address. - - name: process_name - type: keyword - description: Process name in device. - - name: domain - type: group - fields: - - name: name - type: keyword - description: Domain name. - - name: end_time - type: date - description: End time. - - name: endpoint - type: group - fields: - - name: guid - type: keyword - description: endpoint GUID for identity. - - name: hostname - type: keyword - description: Hostname of the endpoint on which the event was generated. - - name: ip - type: ip - description: Endpoint IP address list. - - name: mac - type: keyword - description: Endpoint Mac address. - - name: engine_type - type: keyword - description: Product scan engine type. - - name: engine_version - type: keyword - description: Product scan engine version. - - name: event_id - type: keyword - description: Event ID. - - name: event_name - type: keyword - description: Predefined event enumerator. - - name: event_time_dt - type: date - description: Detect time. - - name: file_hash - type: keyword - description: Detect file hash value. - - name: file_name - type: keyword - description: Detect file name. - - name: file_operation - type: keyword - description: Operation for detect file. - - name: file_path - type: keyword - description: Full file path without file name. - - name: file_path_name - type: keyword - description: Full file path. - - name: file_size - type: long - description: Detect file size. - - name: file_type - type: keyword - description: Detect file type. - - name: first_action - type: keyword - description: First action. - - name: first_action_result - type: keyword - description: First action result. - - name: full_path - type: keyword - description: File full path. - - name: hostname - type: keyword - description: host name. - - name: http_referer - type: keyword - description: http referer url. - - name: interested - type: group - fields: - - name: host - type: keyword - description: Highlighted indicator for incident response members. - - name: ip - type: ip - description: Highlighted indicator for incident response members. - - name: mac - type: keyword - description: Highlighted indicator for incident response members. - - name: malware_name - type: keyword - description: Malware name. - - name: malware_type - type: keyword - description: Malware type. - - name: mime_type - type: keyword - description: Mime type. - - name: mproduct - type: group - fields: - - name: name - type: keyword - description: Product name. - - name: version - type: keyword - description: Product Version. - - name: object - type: group - fields: - - name: cmd - type: keyword - description: The command line that a process detected by Attack Discovery uses to execute other processes. - - name: file - type: group - fields: - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: File Hash Md5 value. - - name: sha1 - type: keyword - description: File Hash Sha1 value. - - name: sha256 - type: keyword - description: File Hash Sha256 value. - - name: name - type: keyword - description: File name. - - name: path - type: keyword - description: File path. - - name: name - type: keyword - description: Detect object name. - - name: pid - type: long - description: Detect object Pid. - - name: signer - type: keyword - description: Signer. - - name: os - type: group - fields: - - name: name - type: keyword - description: 'Supported values: Linux, Windows, macOS, macOSX.' - - name: parent - type: group - fields: - - name: cmd - type: keyword - description: The command line that parent process. - - name: file - type: group - fields: - - name: hash - type: group - fields: - - name: sha1 - type: keyword - description: Parent file sha1. - - name: sha256 - type: keyword - description: Parent file sha256. - - name: path - type: keyword - description: Parent file path. - - name: peer - type: group - fields: - - name: host - type: keyword - description: Peer host name. - - name: ip - type: ip - description: Peer ip list. - - name: policy - type: group - fields: - - name: logkey - type: keyword - description: Policy logkey. - - name: name - type: keyword - description: Policy name. - - name: uuid - type: keyword - description: Policy uuid. - - name: principal_name - type: keyword - description: Principal name. - - name: process - type: group - fields: - - name: cmd - type: keyword - description: The command line used to launch this process. - - name: file - type: group - fields: - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Process file hash MD5 value. - - name: sha1 - type: keyword - description: Process file hash Sha1 value. - - name: sha256 - type: keyword - description: Process file hash Sha256 value. - - name: path - type: keyword - description: The process file path. - - name: name - type: keyword - description: Process name. - - name: pid - type: long - description: Process Pid. - - name: signer - type: keyword - description: Process signer. - - name: product - type: group - fields: - - name: code - type: keyword - description: Product code name. - - name: name - type: keyword - description: product name. - - name: version - type: keyword - description: Product version. - - name: profile - type: keyword - description: Profile - - name: protocol - type: keyword - description: Protocol detect by Deep Discovery Inspector. - - name: protocol_group - type: keyword - description: Protocol group detect by Deep Discovery Inspector. - - name: related_apt - type: boolean - description: 0:False, 1:True. - - name: request - type: keyword - description: URL. - - name: request_base - type: keyword - description: Request base. - - name: request_client_application - type: keyword - description: Browser user agent. - - name: risk_level - type: long - description: SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). - - name: rt - type: date - description: Detect time. - - name: rt_utc - type: date - description: Detect utc time. - - name: search_data_lake - type: keyword - description: Datalake name. - - name: security_analytics - type: group - fields: - - name: engine - type: group - fields: - - name: name - type: keyword - description: Security Analytics Engine. - - name: version - type: keyword - description: Security Analytics Engine version. - - name: sender - type: keyword - description: Sender. - - name: severity_level - type: long - description: severity score. - - name: source - type: group - fields: - - name: group - type: keyword - description: Source IP address group. - - name: ip - type: ip - description: Source IP address. - - name: port - type: long - description: Source port. - - name: sub_name - type: keyword - description: Detect event subscribe name. - - name: suid - type: keyword - description: Suid. - - name: tactic_id - type: keyword - description: Security Agent or product policy. - - name: tags - type: keyword - description: Detected by Security Analytics Engine filters. - - name: threat_name - type: keyword - description: Threat name. - - name: total_count - type: long - description: total count. - - name: url_cat - type: keyword - description: URL cat. - - name: user - type: group - fields: - - name: domain - type: keyword - description: User domain. - - name: uuid - type: keyword - description: Log unique id. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/manifest.yml b/packages/trend_micro_vision_one/0.1.0/data_stream/detection/manifest.yml deleted file mode 100755 index 908ce8903c..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/manifest.yml +++ /dev/null @@ -1,65 +0,0 @@ -title: Collect Detection logs from Trend Micro Vision One. -type: logs -streams: - - input: httpjson - title: Detection logs - description: Collect detection logs from Trend Micro Vision One. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the detection from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. - default: 5m - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. - multi: false - required: true - show_user: false - default: 30s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - trend_micro_vision_one-detection - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: false - title: Preserve duplicate custom fields - description: Preserve trend_micro_vision_one.detection fields that were copied to Elastic Common Schema (ECS) fields. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/0.1.0/data_stream/detection/sample_event.json deleted file mode 100755 index 00c77d025c..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/data_stream/detection/sample_event.json +++ /dev/null @@ -1,305 +0,0 @@ -{ - "@timestamp": "2020-10-15T01:16:32.000Z", - "agent": { - "ephemeral_id": "c1aa9508-1cfd-4e4e-892e-6537d5fd053d", - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.0" - }, - "data_stream": { - "dataset": "trend_micro_vision_one.detection", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "Workgroup", - "ip": [ - "81.2.69.142" - ], - "port": 53 - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "snapshot": false, - "version": "8.4.0" - }, - "event": { - "action": "clean", - "agent_id_status": "verified", - "category": [ - "intrusion_detection" - ], - "created": "2022-09-30T11:51:54.629Z", - "dataset": "trend_micro_vision_one.detection", - "id": "100117", - "ingested": "2022-09-30T11:51:58Z", - "kind": "event", - "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", - "severity": 50, - "type": [ - "info" - ] - }, - "file": { - "hash": { - "md5": "761AEFF7E6B110970285B9C20C9E1DCA", - "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", - "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" - }, - "name": [ - "Unconfirmed 145081.crdownload" - ], - "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", - "size": 0 - }, - "host": { - "hostname": "samplehost", - "id": "1234-1234-1234", - "ip": [ - "81.2.69.142" - ], - "mac": "00-00-5E-00-53-23", - "name": "abc-docker" - }, - "http": { - "request": { - "referrer": "http://www.example.com/" - } - }, - "input": { - "type": "httpjson" - }, - "network": { - "direction": "outbound", - "protocol": "http" - }, - "observer": { - "hostname": "samplehost", - "mac": "00-00-5E-00-53-23" - }, - "process": { - "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", - "name": "string", - "pid": 0 - }, - "related": { - "hash": [ - "761AEFF7E6B110970285B9C20C9E1DCA", - "00496B4D53CEFE031B9702B3385C9F4430999932", - "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", - "3395856ce81f2b7382dee72602f798b642f14140" - ], - "hosts": [ - "samplehost", - "abc-docker" - ], - "ip": [ - "81.2.69.142", - "81.2.69.192" - ] - }, - "source": { - "ip": "81.2.69.192", - "port": 58871 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "trend_micro_vision_one-detection" - ], - "threat": { - "tactic": { - "id": [ - "TA0005" - ] - } - }, - "trend_micro_vision_one": { - "detection": { - "action": "Clean", - "action_result": "Quarantined successfully", - "behavior_category": "Grey-Detection", - "block": "Web reputation", - "client_flag": "dst", - "component_version": [ - "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" - ], - "compressed_file_size": 0, - "destination": { - "ip": [ - "81.2.69.142" - ], - "ip_group": "Default", - "port": 53 - }, - "detection": "Yes", - "detection_source": "GLOBAL_INTELLIGENCE", - "detection_type": "File", - "device": { - "direction": "outbound", - "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", - "host": "samplehost", - "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", - "ip": [ - "81.2.69.192" - ], - "mac": "00-00-5E-00-53-23", - "process_name": "/snap/core/10126/usr/lib/snapd/snapd" - }, - "domain": { - "name": "Workgroup" - }, - "end_time": "2021-09-30T17:40:04.000Z", - "endpoint": { - "guid": "1234-1234-1234", - "hostname": "abc-docker", - "ip": [ - "81.2.69.142" - ], - "mac": "00-00-5E-00-53-23" - }, - "engine_type": "Virus Scan Engine (OS 2003, x64)", - "engine_version": "12.500.1004", - "event_id": "100117", - "event_name": "INTEGRITY_MONITORING_EVENT", - "event_time_dt": "2021-06-10T01:38:38.000Z", - "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", - "file_name": [ - "Unconfirmed 145081.crdownload" - ], - "file_operation": "Deleted", - "file_path": "/etc/systemd/system", - "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", - "file_size": 0, - "first_action": "Clean", - "first_action_result": "Unable to clean file", - "full_path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload", - "hostname": "samplehost", - "http_referer": "http://www.example.com/", - "interested": { - "host": "abc-docker", - "ip": [ - "81.2.69.192" - ], - "mac": "00-00-5E-00-53-23" - }, - "malware_name": "Eicar_test_1", - "malware_type": "Virus/Malware", - "mproduct": { - "name": "Cloud One - Workload Security", - "version": "Deep Security/20.0.222" - }, - "object": { - "cmd": [ - "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default" - ], - "file": { - "hash": { - "md5": "761AEFF7E6B110970285B9C20C9E1DCA", - "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", - "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" - }, - "name": "Unconfirmed 142899.crdownload:SmartScreen", - "path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen" - }, - "name": "CloudEndpointService.exe", - "pid": 7660, - "signer": [ - "OS" - ] - }, - "parent": { - "cmd": "C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p", - "file": { - "hash": { - "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", - "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" - }, - "path": "C:\\\\os\\\\System32\\\\svchost.exe" - } - }, - "peer": { - "host": "samplehost", - "ip": [ - "81.2.69.192" - ] - }, - "process": { - "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", - "file": { - "hash": { - "md5": "761AEFF7E6B110970285B9C20C9E1DCA", - "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", - "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" - }, - "path": "C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe" - }, - "name": "string", - "pid": 0, - "signer": "OS Publisher" - }, - "product": { - "code": "sao", - "name": "Apex One", - "version": "20.0.0.877" - }, - "protocol": "HTTP", - "protocol_group": "HTTP", - "related_apt": false, - "request": "https://example.com", - "request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", - "risk_level": 3, - "rt": "2020-10-15T01:16:32.000Z", - "rt_utc": "2020-10-15T01:16:32.000Z", - "search_data_lake": "DDL", - "security_analytics": { - "engine": { - "name": [ - "T1090 (TA0005)" - ], - "version": "v6" - } - }, - "severity_level": 50, - "source": { - "group": "Default", - "ip": "81.2.69.192", - "port": 58871 - }, - "sub_name": "Attack Discovery", - "tactic_id": [ - "TA0005" - ], - "tags": [ - "XSAE.F2140", - "XSAE.F3066" - ], - "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", - "total_count": 1, - "uuid": "1234-1234-1234" - } - }, - "url": { - "domain": "example.com", - "original": "https://example.com", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "iPhone" - }, - "name": "Mobile Safari", - "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", - "os": { - "full": "iOS 12.1", - "name": "iOS", - "version": "12.1" - }, - "version": "12.0" - } -} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/0.1.0/docs/README.md b/packages/trend_micro_vision_one/0.1.0/docs/README.md deleted file mode 100755 index a0628ed587..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/docs/README.md +++ /dev/null @@ -1,965 +0,0 @@ -# Trend Micro Vision One - -## Overview - -The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. - -Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana. - -## Data streams - -The Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection. - -**Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). - -**Audit** Displays log entries that match the specified search criteria. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Audit-Logs). - -**Detection** Displays search results from the Detection Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1detections/get). - -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. - -This module has been tested against `Trend Micro Vision One API version 3.0`. - -**Note:** The authentication token generated by a user expires one year after being generated. - -## Setup - -### To collect data from Trend Micro Vision One APIs, the user must have API Token. To create an API token follow the below steps: - -1. Log on to the Trend Micro Vision One console. -2. Go to **Administration -> User Accounts**. -![Trend Micro Vision One console](../img/trend-micro-vision-one-console.png) -3. Click on the account name having appropriate API access permission to generate an API token. -![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) -4. Copy the Authentication token. - -## Logs Reference - -### alert - -This is the `alert` dataset. - -#### Example - -An example event for `alert` looks as following: - -```json -{ - "@timestamp": "2030-04-30T00:01:16.000Z", - "agent": { - "ephemeral_id": "11b64a19-0682-4a33-b385-4e6142171d69", - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.0" - }, - "data_stream": { - "dataset": "trend_micro_vision_one.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "snapshot": false, - "version": "8.4.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-09-30T11:50:26.826Z", - "dataset": "trend_micro_vision_one.alert", - "id": "WB-9002-20200427-0002", - "ingested": "2022-09-30T11:50:30Z", - "kind": "alert", - "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", - "severity": 63, - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "log": { - "level": "critical" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "trend_micro_vision_one-alert" - ], - "trend_micro_vision_one": { - "alert": { - "alert_provider": "SAE", - "created_date": "2020-04-30T00:01:15.000Z", - "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", - "id": "WB-9002-20200427-0002", - "impact_scope": { - "account_count": 0, - "desktop_count": 0, - "email_address_count": 0, - "entities": [ - { - "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", - "provenance": [ - "Alert" - ], - "related_entities": [ - "CODERED\\\\user" - ], - "related_indicator_id": [ - 1 - ], - "type": "host", - "value": { - "account_value": "user@email.com" - } - } - ], - "server_count": 0 - }, - "indicators": [ - { - "field": "request url", - "filter_id": [ - "f862df72-7f5e-4b2b-9f7f-9148e875f908" - ], - "id": 1, - "provenance": [ - "Alert" - ], - "related_entities": [ - "user@example.com" - ], - "type": "url", - "value": "http://www.example.com/ab001.zip" - } - ], - "investigation_status": "New", - "matched_rule": [ - { - "filter": [ - { - "date": "2019-08-02T04:00:01.000Z", - "events": [ - { - "date": "2019-08-02T04:00:01.000Z", - "type": "TELEMETRY_REGISTRY", - "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" - } - ], - "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", - "mitre_technique_id": [ - "T1192" - ], - "name": "(T1192) Spearphishing Link" - } - ], - "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", - "name": "Possible SpearPhishing Email" - } - ], - "model": "Possible APT Attack", - "schema_version": "1.0", - "score": 63, - "severity": "critical", - "workbench_link": "https://THE_WORKBENCH_URL" - } - }, - "url": { - "original": "https://THE_WORKBENCH_URL", - "scheme": "https" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Log offset | long | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| trend_micro_vision_one.alert.alert_provider | Alert provider. | keyword | -| trend_micro_vision_one.alert.campaign | An object-ref to a campaign object. | keyword | -| trend_micro_vision_one.alert.created_by | Created by. | keyword | -| trend_micro_vision_one.alert.created_date | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. | date | -| trend_micro_vision_one.alert.description | Description of the detection model that triggered the alert. | keyword | -| trend_micro_vision_one.alert.id | Workbench ID. | keyword | -| trend_micro_vision_one.alert.impact_scope.account_count | Count of affected account. | long | -| trend_micro_vision_one.alert.impact_scope.desktop_count | Count of affected desktop. | long | -| trend_micro_vision_one.alert.impact_scope.email_address_count | Count of affected email address. | long | -| trend_micro_vision_one.alert.impact_scope.entities.value.account_value | Account or emailAddress. | keyword | -| trend_micro_vision_one.alert.impact_scope.entities.value.guid | GUID. | keyword | -| trend_micro_vision_one.alert.impact_scope.entities.value.id | Impact scope entity id. | keyword | -| trend_micro_vision_one.alert.impact_scope.entities.value.ips | Set of IPs. | ip | -| trend_micro_vision_one.alert.impact_scope.entities.value.name | Host name. | keyword | -| trend_micro_vision_one.alert.impact_scope.entities.value.related_entities | Related entities. | keyword | -| trend_micro_vision_one.alert.impact_scope.entities.value.related_indicator_id | Related indicator ids. | long | -| trend_micro_vision_one.alert.impact_scope.entities.value.type | Impact scope entity type. | keyword | -| trend_micro_vision_one.alert.impact_scope.server_count | Count of affected server. | long | -| trend_micro_vision_one.alert.indicators.field | Detailed description of the indicator. | keyword | -| trend_micro_vision_one.alert.indicators.filter_id | Related matched filter ids. | keyword | -| trend_micro_vision_one.alert.indicators.first_seen_date | First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | -| trend_micro_vision_one.alert.indicators.id | Indicator ID. | keyword | -| trend_micro_vision_one.alert.indicators.last_seen_date | Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | -| trend_micro_vision_one.alert.indicators.matched_indicator.pattern_id | Matched indicator pattern ids. | keyword | -| trend_micro_vision_one.alert.indicators.provenance | Provenance. | keyword | -| trend_micro_vision_one.alert.indicators.related_entities | Related entities. | keyword | -| trend_micro_vision_one.alert.indicators.type | Indicator type. | keyword | -| trend_micro_vision_one.alert.indicators.value | Indicator value. | keyword | -| trend_micro_vision_one.alert.industry | Industry. | keyword | -| trend_micro_vision_one.alert.investigation_status | Workbench alert status. | keyword | -| trend_micro_vision_one.alert.matched_indicator_count | Matched indicator pattern count. | long | -| trend_micro_vision_one.alert.matched_indicators_pattern.id | Pattern ID. | keyword | -| trend_micro_vision_one.alert.matched_indicators_pattern.matched_log | Pattern matched log. | keyword | -| trend_micro_vision_one.alert.matched_indicators_pattern.pattern | STIX indicator will be a pattern. | keyword | -| trend_micro_vision_one.alert.matched_indicators_pattern.tags | Tags defined by STIX. | keyword | -| trend_micro_vision_one.alert.matched_rule.filter.date | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | -| trend_micro_vision_one.alert.matched_rule.filter.events.date | Matched event date. | date | -| trend_micro_vision_one.alert.matched_rule.filter.events.event_uuid | Matched event uuid. | keyword | -| trend_micro_vision_one.alert.matched_rule.filter.id | Matched filter id. | keyword | -| trend_micro_vision_one.alert.matched_rule.filter.mitre_technique_id | Mitre technique id. | keyword | -| trend_micro_vision_one.alert.matched_rule.filter.name | Filter name. | keyword | -| trend_micro_vision_one.alert.matched_rule.id | The rules are triggered. | keyword | -| trend_micro_vision_one.alert.matched_rule.name | Matched rule name. | keyword | -| trend_micro_vision_one.alert.model | Name of the detection model that triggered the alert. | keyword | -| trend_micro_vision_one.alert.region_and_country | region/country. | keyword | -| trend_micro_vision_one.alert.report_link | A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. | keyword | -| trend_micro_vision_one.alert.schema_version | The version of the JSON schema, not the version of alert trigger content. | keyword | -| trend_micro_vision_one.alert.score | Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. | long | -| trend_micro_vision_one.alert.severity | Workbench alert severity. | keyword | -| trend_micro_vision_one.alert.total_indicator_count | Total indicator pattern count. | long | -| trend_micro_vision_one.alert.workbench_link | Workbench URL. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - - -### audit - -This is the `audit` dataset. - -#### Example - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2022-02-24T07:29:48.000Z", - "agent": { - "ephemeral_id": "804f8045-e600-48a3-85fc-958312d96c71", - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.0" - }, - "data_stream": { - "dataset": "trend_micro_vision_one.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "snapshot": false, - "version": "8.4.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "created": "2022-09-30T11:51:11.031Z", - "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-09-30T11:51:14Z", - "kind": "event", - "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", - "outcome": "failure", - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "Root Account" - ] - }, - "source": { - "user": { - "name": "Root Account", - "roles": "Master Administrator" - } - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "trend_micro_vision_one-audit" - ], - "trend_micro_vision_one": { - "audit": { - "access_type": "Console", - "activity": "string", - "category": "Logon and Logoff", - "details": { - "property1": "string", - "property2": "string" - }, - "logged_role": "Master Administrator", - "logged_user": "Root Account", - "result": "Unsuccessful" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| source.user.roles | Array of user roles at the time of the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| trend_micro_vision_one.audit.access_type | Source of the activity. | keyword | -| trend_micro_vision_one.audit.activity | The activity that was performed. | keyword | -| trend_micro_vision_one.audit.category | Category. | keyword | -| trend_micro_vision_one.audit.details | Object that contains a list of elements to be retrieved from the "details" field. | flattened | -| trend_micro_vision_one.audit.logged_role | Role of the account. | keyword | -| trend_micro_vision_one.audit.logged_user | The account that was used to perform the activity. | keyword | -| trend_micro_vision_one.audit.result | Result. | keyword | - - -### detection - -This is the `detection` dataset. - -#### Example - -An example event for `detection` looks as following: - -```json -{ - "@timestamp": "2020-10-15T01:16:32.000Z", - "agent": { - "ephemeral_id": "c1aa9508-1cfd-4e4e-892e-6537d5fd053d", - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.0" - }, - "data_stream": { - "dataset": "trend_micro_vision_one.detection", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "Workgroup", - "ip": [ - "81.2.69.142" - ], - "port": 53 - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "fcbfb418-43b4-4893-b170-e74a040560f2", - "snapshot": false, - "version": "8.4.0" - }, - "event": { - "action": "clean", - "agent_id_status": "verified", - "category": [ - "intrusion_detection" - ], - "created": "2022-09-30T11:51:54.629Z", - "dataset": "trend_micro_vision_one.detection", - "id": "100117", - "ingested": "2022-09-30T11:51:58Z", - "kind": "event", - "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", - "severity": 50, - "type": [ - "info" - ] - }, - "file": { - "hash": { - "md5": "761AEFF7E6B110970285B9C20C9E1DCA", - "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", - "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" - }, - "name": [ - "Unconfirmed 145081.crdownload" - ], - "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", - "size": 0 - }, - "host": { - "hostname": "samplehost", - "id": "1234-1234-1234", - "ip": [ - "81.2.69.142" - ], - "mac": "00-00-5E-00-53-23", - "name": "abc-docker" - }, - "http": { - "request": { - "referrer": "http://www.example.com/" - } - }, - "input": { - "type": "httpjson" - }, - "network": { - "direction": "outbound", - "protocol": "http" - }, - "observer": { - "hostname": "samplehost", - "mac": "00-00-5E-00-53-23" - }, - "process": { - "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", - "name": "string", - "pid": 0 - }, - "related": { - "hash": [ - "761AEFF7E6B110970285B9C20C9E1DCA", - "00496B4D53CEFE031B9702B3385C9F4430999932", - "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", - "3395856ce81f2b7382dee72602f798b642f14140" - ], - "hosts": [ - "samplehost", - "abc-docker" - ], - "ip": [ - "81.2.69.142", - "81.2.69.192" - ] - }, - "source": { - "ip": "81.2.69.192", - "port": 58871 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "trend_micro_vision_one-detection" - ], - "threat": { - "tactic": { - "id": [ - "TA0005" - ] - } - }, - "trend_micro_vision_one": { - "detection": { - "action": "Clean", - "action_result": "Quarantined successfully", - "behavior_category": "Grey-Detection", - "block": "Web reputation", - "client_flag": "dst", - "component_version": [ - "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" - ], - "compressed_file_size": 0, - "destination": { - "ip": [ - "81.2.69.142" - ], - "ip_group": "Default", - "port": 53 - }, - "detection": "Yes", - "detection_source": "GLOBAL_INTELLIGENCE", - "detection_type": "File", - "device": { - "direction": "outbound", - "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", - "host": "samplehost", - "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", - "ip": [ - "81.2.69.192" - ], - "mac": "00-00-5E-00-53-23", - "process_name": "/snap/core/10126/usr/lib/snapd/snapd" - }, - "domain": { - "name": "Workgroup" - }, - "end_time": "2021-09-30T17:40:04.000Z", - "endpoint": { - "guid": "1234-1234-1234", - "hostname": "abc-docker", - "ip": [ - "81.2.69.142" - ], - "mac": "00-00-5E-00-53-23" - }, - "engine_type": "Virus Scan Engine (OS 2003, x64)", - "engine_version": "12.500.1004", - "event_id": "100117", - "event_name": "INTEGRITY_MONITORING_EVENT", - "event_time_dt": "2021-06-10T01:38:38.000Z", - "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", - "file_name": [ - "Unconfirmed 145081.crdownload" - ], - "file_operation": "Deleted", - "file_path": "/etc/systemd/system", - "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", - "file_size": 0, - "first_action": "Clean", - "first_action_result": "Unable to clean file", - "full_path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload", - "hostname": "samplehost", - "http_referer": "http://www.example.com/", - "interested": { - "host": "abc-docker", - "ip": [ - "81.2.69.192" - ], - "mac": "00-00-5E-00-53-23" - }, - "malware_name": "Eicar_test_1", - "malware_type": "Virus/Malware", - "mproduct": { - "name": "Cloud One - Workload Security", - "version": "Deep Security/20.0.222" - }, - "object": { - "cmd": [ - "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default" - ], - "file": { - "hash": { - "md5": "761AEFF7E6B110970285B9C20C9E1DCA", - "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", - "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" - }, - "name": "Unconfirmed 142899.crdownload:SmartScreen", - "path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen" - }, - "name": "CloudEndpointService.exe", - "pid": 7660, - "signer": [ - "OS" - ] - }, - "parent": { - "cmd": "C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p", - "file": { - "hash": { - "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", - "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" - }, - "path": "C:\\\\os\\\\System32\\\\svchost.exe" - } - }, - "peer": { - "host": "samplehost", - "ip": [ - "81.2.69.192" - ] - }, - "process": { - "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", - "file": { - "hash": { - "md5": "761AEFF7E6B110970285B9C20C9E1DCA", - "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", - "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" - }, - "path": "C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe" - }, - "name": "string", - "pid": 0, - "signer": "OS Publisher" - }, - "product": { - "code": "sao", - "name": "Apex One", - "version": "20.0.0.877" - }, - "protocol": "HTTP", - "protocol_group": "HTTP", - "related_apt": false, - "request": "https://example.com", - "request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", - "risk_level": 3, - "rt": "2020-10-15T01:16:32.000Z", - "rt_utc": "2020-10-15T01:16:32.000Z", - "search_data_lake": "DDL", - "security_analytics": { - "engine": { - "name": [ - "T1090 (TA0005)" - ], - "version": "v6" - } - }, - "severity_level": 50, - "source": { - "group": "Default", - "ip": "81.2.69.192", - "port": 58871 - }, - "sub_name": "Attack Discovery", - "tactic_id": [ - "TA0005" - ], - "tags": [ - "XSAE.F2140", - "XSAE.F3066" - ], - "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", - "total_count": 1, - "uuid": "1234-1234-1234" - } - }, - "url": { - "domain": "example.com", - "original": "https://example.com", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "iPhone" - }, - "name": "Mobile Safari", - "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", - "os": { - "full": "iOS 12.1", - "name": "iOS", - "version": "12.1" - }, - "version": "12.0" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| os.name | Operating system name, without the version. | keyword | -| os.name.text | Multi-field of `os.name`. | match_only_text | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| trend_micro_vision_one.detection.action | Action by detect product. | keyword | -| trend_micro_vision_one.detection.action_result | Action result by detect product. | keyword | -| trend_micro_vision_one.detection.aggregated_count | Aggregated count. | long | -| trend_micro_vision_one.detection.behavior_category | The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. | keyword | -| trend_micro_vision_one.detection.block | blocking Reason. | keyword | -| trend_micro_vision_one.detection.client_flag | 0:Unknown 1:src 2:dst. | keyword | -| trend_micro_vision_one.detection.client_ip | Client IP. | ip | -| trend_micro_vision_one.detection.component_version | Product component version. | keyword | -| trend_micro_vision_one.detection.compressed_file_size | File size after compressed. | long | -| trend_micro_vision_one.detection.destination.ip | Destination IP address. | ip | -| trend_micro_vision_one.detection.destination.ip_group | Destination IP address group. | keyword | -| trend_micro_vision_one.detection.destination.port | Destination port. | long | -| trend_micro_vision_one.detection.detection | Yes (Tag it when it appears and the value is 1). | keyword | -| trend_micro_vision_one.detection.detection_source | Detection source use by Deep Discovery Inspector. | keyword | -| trend_micro_vision_one.detection.detection_type | Product detection type. | keyword | -| trend_micro_vision_one.detection.device.direction | 0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned). | keyword | -| trend_micro_vision_one.detection.device.guid | Device GUID. | keyword | -| trend_micro_vision_one.detection.device.host | device host. | keyword | -| trend_micro_vision_one.detection.device.id | Device identity. | keyword | -| trend_micro_vision_one.detection.device.ip | Devices ip list. | ip | -| trend_micro_vision_one.detection.device.mac | Mac address. | keyword | -| trend_micro_vision_one.detection.device.process_name | Process name in device. | keyword | -| trend_micro_vision_one.detection.domain.name | Domain name. | keyword | -| trend_micro_vision_one.detection.end_time | End time. | date | -| trend_micro_vision_one.detection.endpoint.guid | endpoint GUID for identity. | keyword | -| trend_micro_vision_one.detection.endpoint.hostname | Hostname of the endpoint on which the event was generated. | keyword | -| trend_micro_vision_one.detection.endpoint.ip | Endpoint IP address list. | ip | -| trend_micro_vision_one.detection.endpoint.mac | Endpoint Mac address. | keyword | -| trend_micro_vision_one.detection.engine_type | Product scan engine type. | keyword | -| trend_micro_vision_one.detection.engine_version | Product scan engine version. | keyword | -| trend_micro_vision_one.detection.event_id | Event ID. | keyword | -| trend_micro_vision_one.detection.event_name | Predefined event enumerator. | keyword | -| trend_micro_vision_one.detection.event_time_dt | Detect time. | date | -| trend_micro_vision_one.detection.file_hash | Detect file hash value. | keyword | -| trend_micro_vision_one.detection.file_name | Detect file name. | keyword | -| trend_micro_vision_one.detection.file_operation | Operation for detect file. | keyword | -| trend_micro_vision_one.detection.file_path | Full file path without file name. | keyword | -| trend_micro_vision_one.detection.file_path_name | Full file path. | keyword | -| trend_micro_vision_one.detection.file_size | Detect file size. | long | -| trend_micro_vision_one.detection.file_type | Detect file type. | keyword | -| trend_micro_vision_one.detection.first_action | First action. | keyword | -| trend_micro_vision_one.detection.first_action_result | First action result. | keyword | -| trend_micro_vision_one.detection.full_path | File full path. | keyword | -| trend_micro_vision_one.detection.hostname | host name. | keyword | -| trend_micro_vision_one.detection.http_referer | http referer url. | keyword | -| trend_micro_vision_one.detection.interested.host | Highlighted indicator for incident response members. | keyword | -| trend_micro_vision_one.detection.interested.ip | Highlighted indicator for incident response members. | ip | -| trend_micro_vision_one.detection.interested.mac | Highlighted indicator for incident response members. | keyword | -| trend_micro_vision_one.detection.malware_name | Malware name. | keyword | -| trend_micro_vision_one.detection.malware_type | Malware type. | keyword | -| trend_micro_vision_one.detection.mime_type | Mime type. | keyword | -| trend_micro_vision_one.detection.mproduct.name | Product name. | keyword | -| trend_micro_vision_one.detection.mproduct.version | Product Version. | keyword | -| trend_micro_vision_one.detection.object.cmd | The command line that a process detected by Attack Discovery uses to execute other processes. | keyword | -| trend_micro_vision_one.detection.object.file.hash.md5 | File Hash Md5 value. | keyword | -| trend_micro_vision_one.detection.object.file.hash.sha1 | File Hash Sha1 value. | keyword | -| trend_micro_vision_one.detection.object.file.hash.sha256 | File Hash Sha256 value. | keyword | -| trend_micro_vision_one.detection.object.file.name | File name. | keyword | -| trend_micro_vision_one.detection.object.file.path | File path. | keyword | -| trend_micro_vision_one.detection.object.name | Detect object name. | keyword | -| trend_micro_vision_one.detection.object.pid | Detect object Pid. | long | -| trend_micro_vision_one.detection.object.signer | Signer. | keyword | -| trend_micro_vision_one.detection.os.name | Supported values: Linux, Windows, macOS, macOSX. | keyword | -| trend_micro_vision_one.detection.parent.cmd | The command line that parent process. | keyword | -| trend_micro_vision_one.detection.parent.file.hash.sha1 | Parent file sha1. | keyword | -| trend_micro_vision_one.detection.parent.file.hash.sha256 | Parent file sha256. | keyword | -| trend_micro_vision_one.detection.parent.file.path | Parent file path. | keyword | -| trend_micro_vision_one.detection.peer.host | Peer host name. | keyword | -| trend_micro_vision_one.detection.peer.ip | Peer ip list. | ip | -| trend_micro_vision_one.detection.policy.logkey | Policy logkey. | keyword | -| trend_micro_vision_one.detection.policy.name | Policy name. | keyword | -| trend_micro_vision_one.detection.policy.uuid | Policy uuid. | keyword | -| trend_micro_vision_one.detection.principal_name | Principal name. | keyword | -| trend_micro_vision_one.detection.process.cmd | The command line used to launch this process. | keyword | -| trend_micro_vision_one.detection.process.file.hash.md5 | Process file hash MD5 value. | keyword | -| trend_micro_vision_one.detection.process.file.hash.sha1 | Process file hash Sha1 value. | keyword | -| trend_micro_vision_one.detection.process.file.hash.sha256 | Process file hash Sha256 value. | keyword | -| trend_micro_vision_one.detection.process.file.path | The process file path. | keyword | -| trend_micro_vision_one.detection.process.name | Process name. | keyword | -| trend_micro_vision_one.detection.process.pid | Process Pid. | long | -| trend_micro_vision_one.detection.process.signer | Process signer. | keyword | -| trend_micro_vision_one.detection.product.code | Product code name. | keyword | -| trend_micro_vision_one.detection.product.name | product name. | keyword | -| trend_micro_vision_one.detection.product.version | Product version. | keyword | -| trend_micro_vision_one.detection.profile | Profile | keyword | -| trend_micro_vision_one.detection.protocol | Protocol detect by Deep Discovery Inspector. | keyword | -| trend_micro_vision_one.detection.protocol_group | Protocol group detect by Deep Discovery Inspector. | keyword | -| trend_micro_vision_one.detection.related_apt | 0:False, 1:True. | boolean | -| trend_micro_vision_one.detection.request | URL. | keyword | -| trend_micro_vision_one.detection.request_base | Request base. | keyword | -| trend_micro_vision_one.detection.request_client_application | Browser user agent. | keyword | -| trend_micro_vision_one.detection.risk_level | SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). | long | -| trend_micro_vision_one.detection.rt | Detect time. | date | -| trend_micro_vision_one.detection.rt_utc | Detect utc time. | date | -| trend_micro_vision_one.detection.search_data_lake | Datalake name. | keyword | -| trend_micro_vision_one.detection.security_analytics.engine.name | Security Analytics Engine. | keyword | -| trend_micro_vision_one.detection.security_analytics.engine.version | Security Analytics Engine version. | keyword | -| trend_micro_vision_one.detection.sender | Sender. | keyword | -| trend_micro_vision_one.detection.severity_level | severity score. | long | -| trend_micro_vision_one.detection.source.group | Source IP address group. | keyword | -| trend_micro_vision_one.detection.source.ip | Source IP address. | ip | -| trend_micro_vision_one.detection.source.port | Source port. | long | -| trend_micro_vision_one.detection.sub_name | Detect event subscribe name. | keyword | -| trend_micro_vision_one.detection.suid | Suid. | keyword | -| trend_micro_vision_one.detection.tactic_id | Security Agent or product policy. | keyword | -| trend_micro_vision_one.detection.tags | Detected by Security Analytics Engine filters. | keyword | -| trend_micro_vision_one.detection.threat_name | Threat name. | keyword | -| trend_micro_vision_one.detection.total_count | total count. | long | -| trend_micro_vision_one.detection.url_cat | URL cat. | keyword | -| trend_micro_vision_one.detection.user.domain | User domain. | keyword | -| trend_micro_vision_one.detection.uuid | Log unique id. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-alert-dashboard-screenshot.png b/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-alert-dashboard-screenshot.png deleted file mode 100755 index 63b9e5bb62..0000000000 Binary files a/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-alert-dashboard-screenshot.png and /dev/null differ diff --git a/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-api-token-generate.png b/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-api-token-generate.png deleted file mode 100755 index 9a4f51d986..0000000000 Binary files a/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-api-token-generate.png and /dev/null differ diff --git a/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-console.png b/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-console.png deleted file mode 100755 index 901c0c133d..0000000000 Binary files a/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-console.png and /dev/null differ diff --git a/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-logo.svg b/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-logo.svg deleted file mode 100755 index 9490d7a747..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/img/trend-micro-vision-one-logo.svg +++ /dev/null @@ -1,389 +0,0 @@ - - - - diff --git a/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json b/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json deleted file mode 100755 index 4d59581fcf..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Trend Micro Vision One Audit Events Overview.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.audit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa43e27-f7bd-4f0f-b7d2-08955609a472\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa43e27-f7bd-4f0f-b7d2-08955609a472\":{\"columnOrder\":[\"d8a8e1d7-1241-4a70-85e3-382db7b4fa21\",\"bda61ee5-a14d-4864-ba26-d3e0394c63ad\"],\"columns\":{\"bda61ee5-a14d-4864-ba26-d3e0394c63ad\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d8a8e1d7-1241-4a70-85e3-382db7b4fa21\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Result\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bda61ee5-a14d-4864-ba26-d3e0394c63ad\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.audit.result\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.audit\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d8a8e1d7-1241-4a70-85e3-382db7b4fa21\"],\"layerId\":\"9fa43e27-f7bd-4f0f-b7d2-08955609a472\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"bda61ee5-a14d-4864-ba26-d3e0394c63ad\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3b9ed00-b61a-4e71-9144-d92505d7eaf9\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"e3b9ed00-b61a-4e71-9144-d92505d7eaf9\",\"title\":\"Distribution of Audit by Result [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a5dfde98-4b93-4c4c-93c1-70043ff2502f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a5dfde98-4b93-4c4c-93c1-70043ff2502f\":{\"columnOrder\":[\"3dae7a26-68d9-484c-8d34-c19f2b279979\",\"1447642a-b455-4a1e-a425-568a15593cc3\"],\"columns\":{\"1447642a-b455-4a1e-a425-568a15593cc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"3dae7a26-68d9-484c-8d34-c19f2b279979\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Access Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1447642a-b455-4a1e-a425-568a15593cc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.audit.access_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.audit\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3dae7a26-68d9-484c-8d34-c19f2b279979\"],\"layerId\":\"a5dfde98-4b93-4c4c-93c1-70043ff2502f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"1447642a-b455-4a1e-a425-568a15593cc3\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"984d6a97-d668-4f4f-8750-679983971d4c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"984d6a97-d668-4f4f-8750-679983971d4c\",\"title\":\"Distribution of Audit by Access Type [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-897f370a-3c32-469f-bfc2-74613384ef81\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"897f370a-3c32-469f-bfc2-74613384ef81\":{\"columnOrder\":[\"fcd42d60-5fd5-4eda-98b3-fec2247b30ff\",\"9f43b7e2-6213-44d3-85e1-c001f901b2b9\"],\"columns\":{\"9f43b7e2-6213-44d3-85e1-c001f901b2b9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"fcd42d60-5fd5-4eda-98b3-fec2247b30ff\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9f43b7e2-6213-44d3-85e1-c001f901b2b9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.audit.category\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.audit\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"9f43b7e2-6213-44d3-85e1-c001f901b2b9\"],\"layerId\":\"897f370a-3c32-469f-bfc2-74613384ef81\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"fcd42d60-5fd5-4eda-98b3-fec2247b30ff\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c04c566d-1863-49ab-9bc1-74ad66d40666\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"c04c566d-1863-49ab-9bc1-74ad66d40666\",\"title\":\"Distribution of Audit by Category [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85e7772a-687e-4f8e-8808-f6bdc6f9a538\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"85e7772a-687e-4f8e-8808-f6bdc6f9a538\",\"panelRefName\":\"panel_85e7772a-687e-4f8e-8808-f6bdc6f9a538\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Trend Micro Vision One] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9:indexpattern-datasource-layer-9fa43e27-f7bd-4f0f-b7d2-08955609a472", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "984d6a97-d668-4f4f-8750-679983971d4c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "984d6a97-d668-4f4f-8750-679983971d4c:indexpattern-datasource-layer-a5dfde98-4b93-4c4c-93c1-70043ff2502f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c04c566d-1863-49ab-9bc1-74ad66d40666:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c04c566d-1863-49ab-9bc1-74ad66d40666:indexpattern-datasource-layer-897f370a-3c32-469f-bfc2-74613384ef81", - "type": "index-pattern" - }, - { - "id": "trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89", - "name": "85e7772a-687e-4f8e-8808-f6bdc6f9a538:panel_85e7772a-687e-4f8e-8808-f6bdc6f9a538", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json b/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json deleted file mode 100755 index fd81c8ff96..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json +++ /dev/null @@ -1,162 +0,0 @@ -{ - "attributes": { - "description": "Trend Micro Vision One Detection Events Overview.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ab62783e-8f90-4ed1-aaa2-0986490650ff\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ab62783e-8f90-4ed1-aaa2-0986490650ff\":{\"columnOrder\":[\"78014197-8878-4d6a-9820-cbc319572497\",\"4fbc0f3c-b645-4cfd-a340-3cda49fce133\"],\"columns\":{\"4fbc0f3c-b645-4cfd-a340-3cda49fce133\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"78014197-8878-4d6a-9820-cbc319572497\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Blocking Reason\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4fbc0f3c-b645-4cfd-a340-3cda49fce133\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.block\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"4fbc0f3c-b645-4cfd-a340-3cda49fce133\"],\"layerId\":\"ab62783e-8f90-4ed1-aaa2-0986490650ff\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"78014197-8878-4d6a-9820-cbc319572497\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037\",\"title\":\"Distribution of Detection by Blocking Reason [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-29f50e0d-fac2-443c-825c-8eb0c3a714d0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"29f50e0d-fac2-443c-825c-8eb0c3a714d0\":{\"columnOrder\":[\"48dd0201-3a46-47ea-b3fc-290d97ec6638\",\"5a64df17-5e2d-4d42-b14a-adbb83d76b77\"],\"columns\":{\"48dd0201-3a46-47ea-b3fc-290d97ec6638\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Behavior Category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a64df17-5e2d-4d42-b14a-adbb83d76b77\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.behavior_category\"},\"5a64df17-5e2d-4d42-b14a-adbb83d76b77\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5a64df17-5e2d-4d42-b14a-adbb83d76b77\"],\"layerId\":\"29f50e0d-fac2-443c-825c-8eb0c3a714d0\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"48dd0201-3a46-47ea-b3fc-290d97ec6638\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"52f01658-a95d-4f43-8e53-0a2a5acbb875\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"52f01658-a95d-4f43-8e53-0a2a5acbb875\",\"title\":\"Distribution of Detection by Behavior Category [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49c72f74-21be-4805-9818-62b060da841d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49c72f74-21be-4805-9818-62b060da841d\":{\"columnOrder\":[\"05971311-2b03-416e-b137-6570c146adf1\",\"a2bbe427-42ce-4604-b8fe-4b5bd3e198d7\"],\"columns\":{\"05971311-2b03-416e-b137-6570c146adf1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Network Direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a2bbe427-42ce-4604-b8fe-4b5bd3e198d7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a2bbe427-42ce-4604-b8fe-4b5bd3e198d7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"05971311-2b03-416e-b137-6570c146adf1\"],\"layerId\":\"49c72f74-21be-4805-9818-62b060da841d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a2bbe427-42ce-4604-b8fe-4b5bd3e198d7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"58a6256c-8b28-43db-86c2-3359cef9ab44\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"58a6256c-8b28-43db-86c2-3359cef9ab44\",\"title\":\"Distribution of Detection by Device Direction [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f691f89d-3522-4220-a870-93486224b466\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f691f89d-3522-4220-a870-93486224b466\":{\"columnOrder\":[\"b1c380a4-c9bd-4033-a33d-90d729de1655\",\"c85cf4bc-ee58-47d4-b395-0020646923c4\"],\"columns\":{\"b1c380a4-c9bd-4033-a33d-90d729de1655\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c85cf4bc-ee58-47d4-b395-0020646923c4\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.protocol\"},\"c85cf4bc-ee58-47d4-b395-0020646923c4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b1c380a4-c9bd-4033-a33d-90d729de1655\"],\"layerId\":\"f691f89d-3522-4220-a870-93486224b466\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c85cf4bc-ee58-47d4-b395-0020646923c4\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6f265958-b714-4af3-8479-6a71792ab6e8\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"6f265958-b714-4af3-8479-6a71792ab6e8\",\"title\":\"Distribution of Detection by Protocol [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d550744a-88fb-4110-aa6e-7b2c2fa25385\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d550744a-88fb-4110-aa6e-7b2c2fa25385\":{\"columnOrder\":[\"d1db4ae9-f392-4d84-9266-708f312a417d\",\"89ecd6cc-d6c0-40fd-b815-ba5dd95df82c\"],\"columns\":{\"89ecd6cc-d6c0-40fd-b815-ba5dd95df82c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d1db4ae9-f392-4d84-9266-708f312a417d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"89ecd6cc-d6c0-40fd-b815-ba5dd95df82c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"d1db4ae9-f392-4d84-9266-708f312a417d\"},{\"columnId\":\"89ecd6cc-d6c0-40fd-b815-ba5dd95df82c\"}],\"layerId\":\"d550744a-88fb-4110-aa6e-7b2c2fa25385\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a57572f8-12d9-4d75-a3b7-e592f588881f\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"a57572f8-12d9-4d75-a3b7-e592f588881f\",\"title\":\"Top 10 Action by Detect Product [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-72a2f6df-02ac-4dbc-9852-39e3ba8afa83\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"72a2f6df-02ac-4dbc-9852-39e3ba8afa83\":{\"columnOrder\":[\"d963d750-55ea-467b-b420-2ee6f6a40f66\",\"d1b13123-1275-49e1-b407-7c58b6a689f3\"],\"columns\":{\"d1b13123-1275-49e1-b407-7c58b6a689f3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d963d750-55ea-467b-b420-2ee6f6a40f66\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action Result\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d1b13123-1275-49e1-b407-7c58b6a689f3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.action_result\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"d963d750-55ea-467b-b420-2ee6f6a40f66\"},{\"columnId\":\"d1b13123-1275-49e1-b407-7c58b6a689f3\"}],\"layerId\":\"72a2f6df-02ac-4dbc-9852-39e3ba8afa83\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"30d672ab-9361-421c-be5f-213d76fbe2dd\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"30d672ab-9361-421c-be5f-213d76fbe2dd\",\"title\":\"Top 10 Action Result by Detect Product [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-50f136e8-fe91-4269-bd9b-650c0392557d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"50f136e8-fe91-4269-bd9b-650c0392557d\":{\"columnOrder\":[\"e9b0baae-bc82-4535-b30b-9e3d1087bcea\",\"72f117ec-bf7f-4b4a-8a46-1e62b9031e00\"],\"columns\":{\"72f117ec-bf7f-4b4a-8a46-1e62b9031e00\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e9b0baae-bc82-4535-b30b-9e3d1087bcea\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Tags\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"72f117ec-bf7f-4b4a-8a46-1e62b9031e00\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.tags\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"e9b0baae-bc82-4535-b30b-9e3d1087bcea\",\"isTransposed\":false},{\"columnId\":\"72f117ec-bf7f-4b4a-8a46-1e62b9031e00\",\"isTransposed\":false}],\"layerId\":\"50f136e8-fe91-4269-bd9b-650c0392557d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b7a95a71-0b0a-4377-81eb-9d493e103d14\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"b7a95a71-0b0a-4377-81eb-9d493e103d14\",\"title\":\"Top 10 Detail Tags [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e73c0595-8dfa-4b9d-9af9-da286f0ea969\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e73c0595-8dfa-4b9d-9af9-da286f0ea969\":{\"columnOrder\":[\"02b9468e-18df-4668-af94-216037f15562\",\"5b8c77cc-c8bf-406e-9dcc-65861d3fea18\"],\"columns\":{\"02b9468e-18df-4668-af94-216037f15562\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Threat Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5b8c77cc-c8bf-406e-9dcc-65861d3fea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.threat_name\"},\"5b8c77cc-c8bf-406e-9dcc-65861d3fea18\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"02b9468e-18df-4668-af94-216037f15562\"},{\"columnId\":\"5b8c77cc-c8bf-406e-9dcc-65861d3fea18\"}],\"layerId\":\"e73c0595-8dfa-4b9d-9af9-da286f0ea969\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0207e0e7-7809-46f9-b26f-0888a3d96d98\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"0207e0e7-7809-46f9-b26f-0888a3d96d98\",\"title\":\"Top 10 Threat Name [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a8599c32-418f-45e0-a013-1d0ef2a030c4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a8599c32-418f-45e0-a013-1d0ef2a030c4\":{\"columnOrder\":[\"e864022d-8287-42ad-9ab5-4637769a9c71\",\"85a7d42c-1431-412c-8497-f9a74a39b1df\"],\"columns\":{\"85a7d42c-1431-412c-8497-f9a74a39b1df\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e864022d-8287-42ad-9ab5-4637769a9c71\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Detection Source\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"85a7d42c-1431-412c-8497-f9a74a39b1df\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.detection_source\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"85a7d42c-1431-412c-8497-f9a74a39b1df\"],\"layerId\":\"a8599c32-418f-45e0-a013-1d0ef2a030c4\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"e864022d-8287-42ad-9ab5-4637769a9c71\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"98acbf97-ec55-474c-b5db-cae2aaed7e14\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"98acbf97-ec55-474c-b5db-cae2aaed7e14\",\"title\":\"Distribution of Detection by Detection Source [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bd766933-cdfd-4c87-ab55-3e994a2fe44e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bd766933-cdfd-4c87-ab55-3e994a2fe44e\":{\"columnOrder\":[\"7e6beac1-f7da-41db-91a7-31d58a221a61\",\"4ca7bc27-a9fa-476f-912b-522ed2a46ff3\"],\"columns\":{\"4ca7bc27-a9fa-476f-912b-522ed2a46ff3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7e6beac1-f7da-41db-91a7-31d58a221a61\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ca7bc27-a9fa-476f-912b-522ed2a46ff3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"os.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"7e6beac1-f7da-41db-91a7-31d58a221a61\"],\"layerId\":\"bd766933-cdfd-4c87-ab55-3e994a2fe44e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"4ca7bc27-a9fa-476f-912b-522ed2a46ff3\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c2817d33-dceb-4442-b496-2fef04b7784a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"c2817d33-dceb-4442-b496-2fef04b7784a\",\"title\":\"Distribution of Detection by OS Name [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-96da828c-adec-4f42-9d21-8e483f024d23\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"96da828c-adec-4f42-9d21-8e483f024d23\":{\"columnOrder\":[\"b46706ba-b1dc-45db-af7a-53c85ff142c8\",\"5ec5dfed-9b61-4812-b6a1-b166a679630f\"],\"columns\":{\"5ec5dfed-9b61-4812-b6a1-b166a679630f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b46706ba-b1dc-45db-af7a-53c85ff142c8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Policy Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5ec5dfed-9b61-4812-b6a1-b166a679630f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.policy.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b46706ba-b1dc-45db-af7a-53c85ff142c8\"},{\"columnId\":\"5ec5dfed-9b61-4812-b6a1-b166a679630f\"}],\"layerId\":\"96da828c-adec-4f42-9d21-8e483f024d23\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"533112ad-9176-45ae-b7e2-f17a052f06b8\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"533112ad-9176-45ae-b7e2-f17a052f06b8\",\"title\":\"Top 10 Policy Name [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f1c7368e-804d-4324-97e9-f12e0639e9d5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f1c7368e-804d-4324-97e9-f12e0639e9d5\":{\"columnOrder\":[\"0bc965a0-c84f-4dc9-bbcd-a4a52567e52a\",\"26e37366-6baa-411b-aa4d-3e1ce4ca5e34\"],\"columns\":{\"0bc965a0-c84f-4dc9-bbcd-a4a52567e52a\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"26e37366-6baa-411b-aa4d-3e1ce4ca5e34\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"file.type\"},\"26e37366-6baa-411b-aa4d-3e1ce4ca5e34\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"26e37366-6baa-411b-aa4d-3e1ce4ca5e34\"],\"layerId\":\"f1c7368e-804d-4324-97e9-f12e0639e9d5\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"0bc965a0-c84f-4dc9-bbcd-a4a52567e52a\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c4b23adc-cfc7-45d5-8330-28788f0d2cf1\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"c4b23adc-cfc7-45d5-8330-28788f0d2cf1\",\"title\":\"Distribution of Detection by File Type [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4917b550-af61-4625-af61-c9274e27047a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4917b550-af61-4625-af61-c9274e27047a\":{\"columnOrder\":[\"ca6ec33b-2725-4194-b64c-69c605dd34a2\",\"a7c8cecb-f044-462f-aed8-549776b43392\"],\"columns\":{\"a7c8cecb-f044-462f-aed8-549776b43392\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"ca6ec33b-2725-4194-b64c-69c605dd34a2\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Profile\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a7c8cecb-f044-462f-aed8-549776b43392\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.profile\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"a7c8cecb-f044-462f-aed8-549776b43392\"],\"layerId\":\"4917b550-af61-4625-af61-c9274e27047a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"ca6ec33b-2725-4194-b64c-69c605dd34a2\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5\",\"title\":\"Distribution of Detection by Profile Name [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d691e22d-4da1-4052-99e9-19980d1ad140\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d691e22d-4da1-4052-99e9-19980d1ad140\":{\"columnOrder\":[\"6b9911e7-dc62-4956-a3a1-8faf9e0b38d8\",\"7ff5c2fd-ec85-4949-9ce7-899b284d7052\"],\"columns\":{\"6b9911e7-dc62-4956-a3a1-8faf9e0b38d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Sender\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ff5c2fd-ec85-4949-9ce7-899b284d7052\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.detection.sender\"},\"7ff5c2fd-ec85-4949-9ce7-899b284d7052\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.detection\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"6b9911e7-dc62-4956-a3a1-8faf9e0b38d8\"},{\"columnId\":\"7ff5c2fd-ec85-4949-9ce7-899b284d7052\"}],\"layerId\":\"d691e22d-4da1-4052-99e9-19980d1ad140\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b8ea0d85-673c-4f28-9397-48baf5fd0cb1\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"b8ea0d85-673c-4f28-9397-48baf5fd0cb1\",\"title\":\"Top 10 Sender Name [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Trend Micro Vision One] Detection", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037:indexpattern-datasource-layer-ab62783e-8f90-4ed1-aaa2-0986490650ff", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "52f01658-a95d-4f43-8e53-0a2a5acbb875:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "52f01658-a95d-4f43-8e53-0a2a5acbb875:indexpattern-datasource-layer-29f50e0d-fac2-443c-825c-8eb0c3a714d0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58a6256c-8b28-43db-86c2-3359cef9ab44:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58a6256c-8b28-43db-86c2-3359cef9ab44:indexpattern-datasource-layer-49c72f74-21be-4805-9818-62b060da841d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f265958-b714-4af3-8479-6a71792ab6e8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f265958-b714-4af3-8479-6a71792ab6e8:indexpattern-datasource-layer-f691f89d-3522-4220-a870-93486224b466", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a57572f8-12d9-4d75-a3b7-e592f588881f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a57572f8-12d9-4d75-a3b7-e592f588881f:indexpattern-datasource-layer-d550744a-88fb-4110-aa6e-7b2c2fa25385", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "30d672ab-9361-421c-be5f-213d76fbe2dd:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "30d672ab-9361-421c-be5f-213d76fbe2dd:indexpattern-datasource-layer-72a2f6df-02ac-4dbc-9852-39e3ba8afa83", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b7a95a71-0b0a-4377-81eb-9d493e103d14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b7a95a71-0b0a-4377-81eb-9d493e103d14:indexpattern-datasource-layer-50f136e8-fe91-4269-bd9b-650c0392557d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0207e0e7-7809-46f9-b26f-0888a3d96d98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0207e0e7-7809-46f9-b26f-0888a3d96d98:indexpattern-datasource-layer-e73c0595-8dfa-4b9d-9af9-da286f0ea969", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "98acbf97-ec55-474c-b5db-cae2aaed7e14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "98acbf97-ec55-474c-b5db-cae2aaed7e14:indexpattern-datasource-layer-a8599c32-418f-45e0-a013-1d0ef2a030c4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c2817d33-dceb-4442-b496-2fef04b7784a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c2817d33-dceb-4442-b496-2fef04b7784a:indexpattern-datasource-layer-bd766933-cdfd-4c87-ab55-3e994a2fe44e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "533112ad-9176-45ae-b7e2-f17a052f06b8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "533112ad-9176-45ae-b7e2-f17a052f06b8:indexpattern-datasource-layer-96da828c-adec-4f42-9d21-8e483f024d23", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1:indexpattern-datasource-layer-f1c7368e-804d-4324-97e9-f12e0639e9d5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5:indexpattern-datasource-layer-4917b550-af61-4625-af61-c9274e27047a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1:indexpattern-datasource-layer-d691e22d-4da1-4052-99e9-19980d1ad140", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json b/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json deleted file mode 100755 index 0ee2078bd0..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "description": "Trend Micro Vision One Alert Events Overview.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c66b406f-8e28-4d47-9fc4-39b968af345d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c66b406f-8e28-4d47-9fc4-39b968af345d\":{\"columnOrder\":[\"f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6\",\"e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea\"],\"columns\":{\"e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Severity\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"log.level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6\"],\"layerId\":\"c66b406f-8e28-4d47-9fc4-39b968af345d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"04cd99db-4dd5-4eca-ab0a-f922068c9a25\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"04cd99db-4dd5-4eca-ab0a-f922068c9a25\",\"title\":\"Distribution of Alert by Severity [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-93eb5209-5e6d-4079-a4a1-2bfab8dd99df\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"93eb5209-5e6d-4079-a4a1-2bfab8dd99df\":{\"columnOrder\":[\"58ad7a12-5367-4cb6-8a1c-89b678df8266\",\"c4ac9c4a-bc44-4309-9279-779185b07336\"],\"columns\":{\"58ad7a12-5367-4cb6-8a1c-89b678df8266\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"c4ac9c4a-bc44-4309-9279-779185b07336\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Score\",\"operationType\":\"median\",\"scale\":\"ratio\",\"sourceField\":\"event.severity\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.alert\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"c4ac9c4a-bc44-4309-9279-779185b07336\"],\"layerId\":\"93eb5209-5e6d-4079-a4a1-2bfab8dd99df\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"58ad7a12-5367-4cb6-8a1c-89b678df8266\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"db54892f-8ac3-49ed-9ec3-7cfe7648f646\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"db54892f-8ac3-49ed-9ec3-7cfe7648f646\",\"title\":\"Trend of Alert Score Over Time [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ac7eae8e-47b7-494d-aa59-23badf3efe0f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ac7eae8e-47b7-494d-aa59-23badf3efe0f\":{\"columnOrder\":[\"1a94ba46-8da2-4c13-86ae-6f0217196e37\",\"896c9e40-e894-44bd-95cf-8098f7a30f3d\"],\"columns\":{\"1a94ba46-8da2-4c13-86ae-6f0217196e37\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Investigation Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"896c9e40-e894-44bd-95cf-8098f7a30f3d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.alert.investigation_status\"},\"896c9e40-e894-44bd-95cf-8098f7a30f3d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1a94ba46-8da2-4c13-86ae-6f0217196e37\"],\"layerId\":\"ac7eae8e-47b7-494d-aa59-23badf3efe0f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"896c9e40-e894-44bd-95cf-8098f7a30f3d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"123f8240-4cc6-4003-83af-43553d428928\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"123f8240-4cc6-4003-83af-43553d428928\",\"title\":\"Distribution of Alert by Investigation Status [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4d3824b7-1c3f-44cd-b84d-88552f0eff69\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4d3824b7-1c3f-44cd-b84d-88552f0eff69\":{\"columnOrder\":[\"1ad9ba6d-9cb3-4330-801c-f956897bcafa\",\"0b3248dd-237b-4f84-badb-d179a9e76f4f\"],\"columns\":{\"0b3248dd-237b-4f84-badb-d179a9e76f4f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"1ad9ba6d-9cb3-4330-801c-f956897bcafa\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Entity Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0b3248dd-237b-4f84-badb-d179a9e76f4f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.alert.impact_scope.entities.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ad9ba6d-9cb3-4330-801c-f956897bcafa\"],\"layerId\":\"4d3824b7-1c3f-44cd-b84d-88552f0eff69\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"0b3248dd-237b-4f84-badb-d179a9e76f4f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"dee1cbd0-6143-4245-ab3f-b8cd4022e67e\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"dee1cbd0-6143-4245-ab3f-b8cd4022e67e\",\"title\":\"Distribution of Alert by Entity Type [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-464ea482-63a1-4427-8f9c-224e693d4ffc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"464ea482-63a1-4427-8f9c-224e693d4ffc\":{\"columnOrder\":[\"d3f7e999-2c6b-4b3f-bbca-72ec716b4285\",\"6c73fc78-7633-468b-9018-96c35a90e619\"],\"columns\":{\"6c73fc78-7633-468b-9018-96c35a90e619\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d3f7e999-2c6b-4b3f-bbca-72ec716b4285\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicator Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6c73fc78-7633-468b-9018-96c35a90e619\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.alert.indicators.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.alert\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"6c73fc78-7633-468b-9018-96c35a90e619\"],\"layerId\":\"464ea482-63a1-4427-8f9c-224e693d4ffc\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"d3f7e999-2c6b-4b3f-bbca-72ec716b4285\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9e5504f2-2732-40d5-a0c8-c885c93a8153\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"9e5504f2-2732-40d5-a0c8-c885c93a8153\",\"title\":\"Distribution of Alert by Indicator Type [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-38c2ae2f-27fd-47dc-911f-4aa95f5545d1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"38c2ae2f-27fd-47dc-911f-4aa95f5545d1\":{\"columnOrder\":[\"56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa\",\"a78e27d3-f17e-4e38-8815-4cb90a1c006f\"],\"columns\":{\"56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Matched Rule\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a78e27d3-f17e-4e38-8815-4cb90a1c006f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"trend_micro_vision_one.alert.matched_rule.name\"},\"a78e27d3-f17e-4e38-8815-4cb90a1c006f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa\"},{\"columnId\":\"a78e27d3-f17e-4e38-8815-4cb90a1c006f\"}],\"layerId\":\"38c2ae2f-27fd-47dc-911f-4aa95f5545d1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"eabd35ae-1d20-403d-ab31-993d621aa11d\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"eabd35ae-1d20-403d-ab31-993d621aa11d\",\"title\":\"Top 10 Matched Rule [Logs Trend Micro Vision One]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Trend Micro Vision One] Alert", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "04cd99db-4dd5-4eca-ab0a-f922068c9a25:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "04cd99db-4dd5-4eca-ab0a-f922068c9a25:indexpattern-datasource-layer-c66b406f-8e28-4d47-9fc4-39b968af345d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db54892f-8ac3-49ed-9ec3-7cfe7648f646:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db54892f-8ac3-49ed-9ec3-7cfe7648f646:indexpattern-datasource-layer-93eb5209-5e6d-4079-a4a1-2bfab8dd99df", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "123f8240-4cc6-4003-83af-43553d428928:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "123f8240-4cc6-4003-83af-43553d428928:indexpattern-datasource-layer-ac7eae8e-47b7-494d-aa59-23badf3efe0f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e:indexpattern-datasource-layer-4d3824b7-1c3f-44cd-b84d-88552f0eff69", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9e5504f2-2732-40d5-a0c8-c885c93a8153:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9e5504f2-2732-40d5-a0c8-c885c93a8153:indexpattern-datasource-layer-464ea482-63a1-4427-8f9c-224e693d4ffc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eabd35ae-1d20-403d-ab31-993d621aa11d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eabd35ae-1d20-403d-ab31-993d621aa11d:indexpattern-datasource-layer-38c2ae2f-27fd-47dc-911f-4aa95f5545d1", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/0.1.0/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json b/packages/trend_micro_vision_one/0.1.0/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json deleted file mode 100755 index 7f1d973156..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "source.user.name", - "source.user.roles", - "trend_micro_vision_one.audit.details" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"trend_micro_vision_one.audit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Audit Events Essential Details [Logs Trend Micro Vision One]" - }, - "coreMigrationVersion": "7.17.0", - "id": "trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/0.1.0/manifest.yml b/packages/trend_micro_vision_one/0.1.0/manifest.yml deleted file mode 100755 index f0d1169659..0000000000 --- a/packages/trend_micro_vision_one/0.1.0/manifest.yml +++ /dev/null @@ -1,78 +0,0 @@ -format_version: 1.0.0 -name: trend_micro_vision_one -title: Trend Micro Vision One -version: '0.1.0' -license: basic -description: Collect logs from Trend Micro Vision One with Elastic Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^8.4.0 -screenshots: - - src: /img/trend-micro-vision-one-alert-dashboard-screenshot.png - title: Trend Micro Vision One Dashboard Screenshot - size: 600x600 - type: image/png -icons: - - src: /img/trend-micro-vision-one-logo.svg - title: Trend Micro Vision One Logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: trend_micro_vision_one - title: Trend Micro Vision One - description: Collect logs from Trend Micro Vision One. - inputs: - - type: httpjson - title: Collect Trend Micro Vision One logs via API - description: Collecting Trend Micro Vision One logs via API. - vars: - - name: hostname - type: text - title: URL - description: Trend Micro Vision One domain name. - required: true - - name: api_token - type: password - title: API Token - description: API Token with API Access Level type. - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations